Work at Home, Make Big Money

You may have heard of the customer working from home doing payroll or some other tasks for extra money. They use an account with your bank as a part of their job. Certainly it could be a scam related money laundering.

Some work at home offers are just scams. In this example, unwilling participants who thought they were processing payroll for an international company were actually money mules. Funds went into an account, and back out. The money was actually being laundered. It was stolen.

Alexey Mineev, of Hampton, New Hampshire recently plead guilty to money laundering charges. He set up drop accounts that were used to receive and send monies that were stolen from brokerage accounts. Mineev could be sentenced to two years in prison, and a $40,000 fine. His plea agreement has him returning the $112,000 he made for his part in the scheme between July and December 2007.

Mineev, and his co-conspirators, Alexander Bobnev and Aleksey Volynskiy worked as a team. They would entice users to watch an online video that required a special codec to be installed, a screensaver or a security patch - which would actually be the delivery mechanism for a Trojan.

They could then monitor the users activities looking for passwords and other logon information for brokerage or bank accounts. Screenshots could be reviewed that also showed the balance in the user's account. Bobnev would review the accounts and Mineev and Volynskiy would move the funds through drop accounts. Once the funds left the U.S. they would be virtually impossible to recover. Western Union was often used to move the money out of the country.

Your customers need a constant reminder to keep their cyber-safeguards up. They need to protect themselves from Trojans. And still other customers need to be vigilant about who they work for and what jobs they may be doing. They could be money mules and not know it. We have read on the BOL threads where both of these customers could be at the same bank. The bank is certainly a loser in this situation.

Possible Pandemic brings out Phishers

A pandemic triggered by the swine flu is causing panic for some. Others see this as an economic boost as they try to sell fake pharmaceuticals. There are a number of these phishing and spam emails being sent. Two of the more popular have a subject line of "First US swine flu victims!" and "Madonna caught swine flu!" according to Dave Marcus, director of security research at McAfee Inc.

Marcus said that about two percent of the spam today is on the flu. Some of these are out to sell phony or adulterated medications and some sites simply want to get the credit card number of anyone who falls for the pitch.

These are probably the same people who quickly register names of storms in hopes of taking advantage of the goodwill many people have when trying to help others. So it is no surprise to see this activity. But employees and customers alike need to realize that their own doctor and health system is where they need to go for information and assistance. Buying drugs based on an email is not the wisest choice someone could make. Not only may you not be protected after taking any medications bought from an unreliable source, but it just might make them sick.

Internet Crime Up in 2008

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center, and the Bureau of Justice Assistance.

The IC3 recently reported that internet crime reports were up 33 percent in 2008. They reported 275,000 complaints in 2008 as compared to 207,000 in 2007. The dollars lost in these crimes in 2008 was $265 million. That amount is up only 11 percent over the prior year. Median losses were highest check fraud ($3,000), confidence fraud ($2,000), Nigerian letter fraud ($1,650).

The most common complaint received deals with nondelivery of merchandise (33%). Auction fraud (26%) and debit card fraud (9%) are ranked as second and third.

Men tend to lose more on internet scams than women. Men lose $1.69 for each dollar a woman loses. Men also place 55% of the complaints.

FBI Cyber Division Assistant Director Shawn Henry said, "This report illustrates that sophisticated computer fraud schemes continue to flourish as financial data migrates to the Internet. It also underscores the need for continued vigilance on the part of law enforcement, businesses, and the home computer user to be aware of these schemes and employ sound security procedures."

Scammers scam because scamming makes money

Bankers need to be diligent in reminding customers to protect their computers. When surfing the web, they must do so with security in mind. Part of that security means knowing about their computers, and not falling for scams that try to manipulate them with fear.

One such scam uses a pop-up window that tells them their computer is infected with a virus. Coincidently this pop-up also has a link to a program that will solve the problem. Ultimately the scammer wants your customers credit card information. They think they are buying a useful, downloadable program. That isn't the scammers motivation though.

Recently Finjan's Malicious Code Research Center discovered an "affiliate network" that gets paid for these referrals such as via the pop-ups. They hack legitimate websites so that this pop-up will appear. The legitimate website is not aware at that time that they are being used.

The hacker is paid $.096 per referral, less than a dime. In their investigation though, Finjan found that in a 16 day period, 1.8 million referrals were made. The fees paid on 7,900 referrals would be $10,800 per day. Between 7 and 12 percent of the victims do install a useless or harmful program. They pay $50 for that. These fees can generate $172,000 in daily income. In addition, the consumers credit card is now compromised.

Criminals employ these scams because they work. Based on the above, they could make $2 million a year. The cost your customer pays can be much greater than $50 though, and you have a cost as well. Your bank will have to pay that customer back all or part of their loss.

We urge you to educate your customers so they don’t fall for these scams.

Phishing Phrom Business Phunds

Phishing isn't always high tech. The SBA is warning small businesses NOT to respond to letters that claim to be from the SBA, requesting the bank account information of the business. The letter indicates this is for tax rebate qualification, but it is just a ploy to gain banking information and to steal funds.

The SBA news release is available here. Bankers may want to pass this information to their small business customers.

Ticket to Malware

In Grand Forks, North Dakota, some people found parking tickets on their cars. Your first thought wouldn't be that this was an attempt to infect your computer with a Trojan, but it was.

The yellow fliers claimed to be tickets and included a web site link that had photographs depicting the traffic infraction. To see the photos you had to first download and install PictureSearchToolbar.exe. Since this is from law enforcement, it must be OK, right? Well it is a Trojan, called Vundo by Symantec and McAfee and Monder by Kapsersky Labs. It then has a pop-up window to sell "AntiVirus360" which is a fake anti virus program.

The moral of the story here may be to follow the traditional path. Why would law enforcement assume you had an internet connection, and why didn't the "ticket" look like a traditional ticket with the traditional manner of paying it or contesting it? We have to be skeptical in all areas now. Your windshield may protect you from bugs, but it won't do the same for your computer.

Cyber Security from US CERT

Adding to the post below, I received the following cyber security tip from US CERT today, (United States Computer Emergency Readiness Team is a partnership between the Department of Homeland Security and the public and private sectors.)

Cyber Security Tip ST06-007
Defending Cell Phones and PDAs Against Attack

As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device.

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:

* abuse your service - Most cell phone plans limit the number of text messages you can send and receive. If an attacker spams you with text messages, you may be charged additional fees. An attacker may also be able to infect your phone or PDA with malicious code that will allow them to use your service. Because the contract is in your name, you will be responsible for the charges.

* lure you to a malicious web site - While PDAs and cell phones that give you access to email are targets for standard phishing attacks, attackers are now sending text messages to cell phones. These messages, supposedly from a legitimate company, may try to convince you to visit a malicious site by claiming that there is a problem with your account or stating that you have been subscribed to a service. Once you visit the site, you may be lured into providing personal information or downloading a malicious file (see Avoiding Social Engineering and Phishing Attacks for more information).

* use your cell phone or PDA in an attack - Attackers who can gain control of your service may use your cell phone or PDA to attack others. Not only does this hide the real attacker's identity, it allows the attacker to increase the number of targets (see Understanding Denial-of-Service Attacks for more information).

* gain access to account information - In some areas, cell phones are becoming capable of performing certain transactions (from paying for parking or groceries to conducting larger financial transactions). An attacker who can gain access to a phone that is used for these types of transactions may be able to discover your account information and use or sell it.

What can you do to protect yourself?

* Follow general guidelines for protecting portable devices - Take precautions to secure your cell phone and PDA the same way you should secure your computer (see Cybersecurity for Electronic Devices and Protecting Portable Devices: Data Security for more information).

* Be careful about posting your cell phone number and email address - Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam (see Reducing Spam for more information). Cell phone numbers can be collected automatically, too. By limiting the number of people who have access to your information, you limit your risk of becoming a victim.

* Do not follow links sent in email or text messages - Be suspicious of URLs sent in unsolicited email or text messages. While the links may appear to be legitimate, they may actually direct you to a malicious web site.

* Be wary of downloadable software - There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate (see Understanding Web Site Certificates for more information). If you do download a file from a web site, consider saving it to your computer and manually scanning it for viruses before opening it.

* Evaluate your security settings - Make sure that you take advantage of the security features offered on your device. Attackers may take advantage of Bluetooth connections to access or download information on your device. Disable Bluetooth when you are not using it to avoid unauthorized access (see Understanding Bluetooth Technology for more information).
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Phishing with Text

Banks need to remind their customers that you do not contact them in emails or text messages, asking them to send you account numbers, debit card numbers and PINs over these unsecured channels. Phishing expeditions are continuing to thrive and now we see more and more attempts to gain information with text messaging.

Hello texting on your cell phone. Phishing expeditions are growing on cell phones as texting is becoming a common means of communication, and as many new cell phones were given as holiday gifts. Recently the Pittsburg, PA police department warned that customers in dozens of states are getting messages on their Sprint cellular phones from dozens of banks, asking for confidential information.

Customers need to be suspicious. Even if your caller ID tells them it is your bank calling or sending you a text message. "Spoofing" is a trick that allows the caller to contact you and make it appear as though it is your bank.

I recently read a news article where hackers in Asia were able to infect cell phones and initiate money transfers using those phones. In many areas of the world cell phones are used for banking where small purchases are made solely on the phone. This has not been popular in the U.S. But the message is the same, security and awareness are keys to protecting your customers.

If your customer has a question or receives a text message or email, they should be warned to call your bank using a known telephone number and not a "special one" provided in the message. Your bank then has to know where to send these calls for information. Infrastracture starts with you. Precautionary warnings should also appear predominantly on your web site as a constant reminder.

Scammers send these messages because when a small percentage of a very large number do respond, they get money, your money. Stop the crime before it starts.