A Sacramento, California, hacker pleaded guilty to charges of fraud and identity theft for his involvement in an international cyberscam that used personal information stolen with phishing sites to open fraudulent Wal-Mart credit accounts.
Tien "Tim" Truong Nguyen pleaded guilty on Tuesday, the day before his case was set to go to trial, according to IDG News Service. Prosecutors said he had set up websites that used phishing tactics to dupe people into disclosing their personal information.
With the help of Romanian cybercriminals, Nguyen used the phishing websites to steal information that he supplied to others to open Wal-Mart instant credit accounts in stores throughout northern California, IDG News reported.
According to the mid-year online threat report from IBM, phishing spam made up just 0.1 percent of all spam email in the first six months of this year, down from 0.2 percent to 0.8 percent of spam during the first half of 2008.
However, identity thieves can launch phishing attacks by poisoning search results with phony websites and other tactics to lure victims. Phishing fools as many as 55,000 new victims each month, according to one report.
Tag Archives: theft
Seattle man convicted of identity theft via Limewire P2P site
Filed under Security News
Tagged as Frederick Eugene Wood, identity, IDG News, Limewire, Seattle, theft
Tagged as Frederick Eugene Wood, identity, IDG News, Limewire, Seattle, theft
A 34-year-old Seattle man was sentenced to more than three years in prison yesterday for identity theft in a scheme using the Limewire P2P file-sharing site to steal personal information from users for committing fraud.
The man, Frederick Eugene Wood, received 39 months in prison and three years of supervised release for wire fraud, accessing a protected computer without authorization to commit fraud and aggravated identity theft, IDG News reported.
According to the criminal complaint filed in the case, law enforcement had arrested Wood for defrauding a victim through Craigslist - selling the victim an Apple computer box without a computer in it.
Police then found a computer containing documents with personal information for more than 120 people across the country, including tax returns, bank statements and canceled checks.
An analysis of Wood's computer by the Federal Bureau of Investigation revealed that Wood had used Limewire to access the personal information stored on other people's computers. With this information, Wood forged checks which he used to purchase high-value electronics items, some of which he sold on Craigslist.
Authorities learned Wood was an associate of Gregory Kopiloff, who was sentenced in March 2008 to 51 months in prison for using file-sharing programs for identity theft and fraud.
The man, Frederick Eugene Wood, received 39 months in prison and three years of supervised release for wire fraud, accessing a protected computer without authorization to commit fraud and aggravated identity theft, IDG News reported.
According to the criminal complaint filed in the case, law enforcement had arrested Wood for defrauding a victim through Craigslist - selling the victim an Apple computer box without a computer in it.
Police then found a computer containing documents with personal information for more than 120 people across the country, including tax returns, bank statements and canceled checks.
An analysis of Wood's computer by the Federal Bureau of Investigation revealed that Wood had used Limewire to access the personal information stored on other people's computers. With this information, Wood forged checks which he used to purchase high-value electronics items, some of which he sold on Craigslist.
Authorities learned Wood was an associate of Gregory Kopiloff, who was sentenced in March 2008 to 51 months in prison for using file-sharing programs for identity theft and fraud.
Black Hat report: ‘Clampi’ Trojan a perfect tool for identity theft
A web security researcher for SecureWorks told hackers gathered at the annual Black Hat conference in Las Vegas that a data-stealing Trojan known as Clampi is being used for one of the most sophisticated malware and identity theft attacks on the web today.
The Clampi Trojan has spread to hundreds of thousands of PCs and swipes personal information from users for draining their bank accounts. One small business in Georgia, Slack Auto Parts, lost $75,000 earlier this month due to infection by the Trojan, according to Joe Stewart, researcher at SecureWorks.
Stewart said he has identified 1,400 banking websites in 70 different countries out of roughly 4,500 bank sites being targeted by those behind Clampi for the purpose of identity theft and fraud.
Clampi's recent success in infecting PCs is accomplished by using domain administrator credentials stolen by the Trojan to copy itself to all computers on the domain. Clampi also spreads in drive-by download attacks when users visit a compromised website.
SecureWorks recommends that home computer users protect themselves online by using a separate, clean PC for online banking than the one they use to surf the web and send and receive email.
The Clampi Trojan has spread to hundreds of thousands of PCs and swipes personal information from users for draining their bank accounts. One small business in Georgia, Slack Auto Parts, lost $75,000 earlier this month due to infection by the Trojan, according to Joe Stewart, researcher at SecureWorks.
Stewart said he has identified 1,400 banking websites in 70 different countries out of roughly 4,500 bank sites being targeted by those behind Clampi for the purpose of identity theft and fraud.
Clampi's recent success in infecting PCs is accomplished by using domain administrator credentials stolen by the Trojan to copy itself to all computers on the domain. Clampi also spreads in drive-by download attacks when users visit a compromised website.
SecureWorks recommends that home computer users protect themselves online by using a separate, clean PC for online banking than the one they use to surf the web and send and receive email.
Extent of identity theft and data breaches largely hidden
Despite stricter laws on disclosure of data breaches in places like California, a lack of proper incentives in reporting incidents may keep private companies from accurately reporting the extent of data theft, according to a web security expert at Hewlett-Packard.
Because compliance laws vary from state to state and are vaguely worded, many companies do not report data breaches in a timely manner, if at all, writes Todd Densmore at HP's security lab blog.
Densmore points out that disclosure policies only serve to highlight the number of incidents, while not necessarily encouraging a more proactive approach to data security.
That could be changing. Beginning August 1, the Federal Trade Commission will begin enforcing a Red Flags Rule that requires creditors and financial institutions to implement a written Identity Theft Prevention Program designed to detect the warning signs of identity theft in their day-to-day operations.
Beginning in 2010, Massachusetts will require all Social Security numbers, bank account numbers and credit card numbers to be encrypted when transmitted wirelessly or on public networks and when carried on portable devices like laptops, PDAs and flash drives.
"Preventative security medicine is the best and most cost effective policy," Densmore said in his post. "The cost of preventative security pales in comparison to the cost of cleaning of the mess after getting breached."
Because compliance laws vary from state to state and are vaguely worded, many companies do not report data breaches in a timely manner, if at all, writes Todd Densmore at HP's security lab blog.
Densmore points out that disclosure policies only serve to highlight the number of incidents, while not necessarily encouraging a more proactive approach to data security.
That could be changing. Beginning August 1, the Federal Trade Commission will begin enforcing a Red Flags Rule that requires creditors and financial institutions to implement a written Identity Theft Prevention Program designed to detect the warning signs of identity theft in their day-to-day operations.
Beginning in 2010, Massachusetts will require all Social Security numbers, bank account numbers and credit card numbers to be encrypted when transmitted wirelessly or on public networks and when carried on portable devices like laptops, PDAs and flash drives.
"Preventative security medicine is the best and most cost effective policy," Densmore said in his post. "The cost of preventative security pales in comparison to the cost of cleaning of the mess after getting breached."
Identity theft warnings issued to 13,000 after LexisNexis data breach
Two data breaches involving a subsidiary of LexisNexis have exposed the personal information of more than 13,000 consumers, leaving them vulnerable to identity theft and fraud.
The New Hampshire Attorney General's office posted notification of the breaches on its website last Friday, according to IDG News Service. Under New Hampshire law, data breaches that affect residents of the state must be reported to the AG. The AG's office has since removed the letters.
LexisNexis spokesman Nick Ludlum said Wednesday that 13,329 letters were sent out to affected consumers June 19, according to the Associated Press.
The letters say personal information including name, address, driver's license and Social Security number may have been accessed through a former customer of Seisint, a subsidiary of LexisNexis.
Lee Klein, a Florida man with alleged connections to organized crime, is accused of the breach, according to the AP.
In May, LexisNexis warned about 32,000 people that their information was stolen as part of a credit card fraud by former business customers of LexisNexis and its subsidiary ChoicePoint.
Computerworld.com reported at the time that LexisNexis waited for more than a year to begin notifying the identity theft victims at the request of the U.S. Postal Inspection Service.
The New Hampshire Attorney General's office posted notification of the breaches on its website last Friday, according to IDG News Service. Under New Hampshire law, data breaches that affect residents of the state must be reported to the AG. The AG's office has since removed the letters.
LexisNexis spokesman Nick Ludlum said Wednesday that 13,329 letters were sent out to affected consumers June 19, according to the Associated Press.
The letters say personal information including name, address, driver's license and Social Security number may have been accessed through a former customer of Seisint, a subsidiary of LexisNexis.
Lee Klein, a Florida man with alleged connections to organized crime, is accused of the breach, according to the AP.
In May, LexisNexis warned about 32,000 people that their information was stolen as part of a credit card fraud by former business customers of LexisNexis and its subsidiary ChoicePoint.
Computerworld.com reported at the time that LexisNexis waited for more than a year to begin notifying the identity theft victims at the request of the U.S. Postal Inspection Service.
Biz Stone explains data theft from Twitter’s Google Apps
Filed under Security News
Tagged as Biz Stone, blog, data, Google Apps, hacker, Hacker Croll, theft, Twitter
Tagged as Biz Stone, blog, data, Google Apps, hacker, Hacker Croll, theft, Twitter
Twitter co-founder Biz Stone said yesterday that a hacker who gained access to a Twitter employee's personal email account was able to infiltrate the popular social network's Google Apps account to steal confidential company documents, underscoring the potential pitfalls of weak passwords and lax email security.
The hacker, known by the handle Hacker Croll, distributed files to various websites from Twitter's Google Docs, Calendar and "other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company," Stone said on the Twitter blog (hosted on Google's Blogger).
"Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines," Stone said in the post.
The website TechCrunch said Tuesday that it had received a zip file containing 310 documents, ranging from executive meeting notes and financial projections to salaries of Twitter employees.
Stone said the data theft was not a result of flaws in Google Apps, but due to the fact that Twitter is under "a spotlight" putting a target on employees.
Google observed on its security blog that it has security measures in place for users of Gmail and other apps for business customers that make password recovery more secure, including an option for password recovery by mobile phone.
The hacker, known by the handle Hacker Croll, distributed files to various websites from Twitter's Google Docs, Calendar and "other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company," Stone said on the Twitter blog (hosted on Google's Blogger).
"Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines," Stone said in the post.
The website TechCrunch said Tuesday that it had received a zip file containing 310 documents, ranging from executive meeting notes and financial projections to salaries of Twitter employees.
Stone said the data theft was not a result of flaws in Google Apps, but due to the fact that Twitter is under "a spotlight" putting a target on employees.
Google observed on its security blog that it has security measures in place for users of Gmail and other apps for business customers that make password recovery more secure, including an option for password recovery by mobile phone.
Goldman Sachs employee arrested for code theft
FBI agents on Friday arrested Sergey Aleynikov, a former employee of Goldman Sachs who allegedly stole 32 megabytes of code for a sophisticated automated trading platform and transferred it to a website hosted in Germany.
The federal complaint did not identify the victimized company, but the Reuters news agency confirmed that Aleynikov worked for Goldman Sachs.
An FBI agent on the case said in the complaint that Aleynikov was discovered because he transferred data while remotely logged on to his employee account. Goldman Sachs monitors transfers across its network.
Aleynikov allegedly used a script that copied, compressed and encrypted files, renamed them and then transferred them to a website in Germany. Once the data was transferred, the program used to encrypt the files was erased.
However, Goldman Sachs' system maintained a back-up copy of the Unix code Aleynikov used on his desktop, known as a "bash history." Aleynikov allegedly attempted to erase the bash history on his desktop, but was unsuccessful.
According to the complaint, Aleynikov had been employed since May 2007 to develop Goldman Sachs' trading software and had informed the company he was resigning to go to another trading company at three times his Goldman Sachs salary of $400,000.
The federal complaint did not identify the victimized company, but the Reuters news agency confirmed that Aleynikov worked for Goldman Sachs.
An FBI agent on the case said in the complaint that Aleynikov was discovered because he transferred data while remotely logged on to his employee account. Goldman Sachs monitors transfers across its network.
Aleynikov allegedly used a script that copied, compressed and encrypted files, renamed them and then transferred them to a website in Germany. Once the data was transferred, the program used to encrypt the files was erased.
However, Goldman Sachs' system maintained a back-up copy of the Unix code Aleynikov used on his desktop, known as a "bash history." Aleynikov allegedly attempted to erase the bash history on his desktop, but was unsuccessful.
According to the complaint, Aleynikov had been employed since May 2007 to develop Goldman Sachs' trading software and had informed the company he was resigning to go to another trading company at three times his Goldman Sachs salary of $400,000.
ID theft possible using public data from social networks
Social Security numbers can be predicted with high accuracy from an individual's state and date of birth - information that is often publicly available on social networking sites - raising the risk of identity theft, researchers have found.
Alessandro Acquisti, a professor of information technology and public policy at Carnegie Mellon, and a fellow researcher used data from the Social Security Administration's Death Master File to detect statistical patterns to predict SSNs.
Combined with information from public databases or social networks, the prediction model could determine SSNs with alarming ease.
"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone," Acquisti said.
The researchers were able to identify all nine SSN digits for 8.5 percent of individuals born after 1988 in fewer than 1,000 attempts. They identified the first five SSN digits of 44 percent of individuals born after 1988 in a single attempt.
A fraudster who knows just the first five digits of an individual's SSN might use a phishing email to trick the person into revealing the last four digits. Botnets could be used to repeatedly apply for credit cards in a person's name until hitting the correct nine-digit sequence.
Alessandro Acquisti, a professor of information technology and public policy at Carnegie Mellon, and a fellow researcher used data from the Social Security Administration's Death Master File to detect statistical patterns to predict SSNs.
Combined with information from public databases or social networks, the prediction model could determine SSNs with alarming ease.
"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone," Acquisti said.
The researchers were able to identify all nine SSN digits for 8.5 percent of individuals born after 1988 in fewer than 1,000 attempts. They identified the first five SSN digits of 44 percent of individuals born after 1988 in a single attempt.
A fraudster who knows just the first five digits of an individual's SSN might use a phishing email to trick the person into revealing the last four digits. Botnets could be used to repeatedly apply for credit cards in a person's name until hitting the correct nine-digit sequence.