A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man.

The seller denied any wrongdoing and Symantec corporation, from whom three victims bought a product via a call centre, called the incident "isolated".

Card fraud totalled £609m during 2008, according to payments group Apacs.

Symantec said it requires rigorous security measures of any third-party call centre agents and it believed the breach had been limited to a single agent.

The BBC team went to India on a tip off after being put in touch with a man offering to sell stolen credit and debit card details.

Two undercover reporters met the broker in a Delhi coffee shop for an encounter that was filmed secretly.

Secret filming exposes frauster selling stolen credit card details
http://news.bbc.co.uk/1/hi/uk/7952419.stm

He told the pair he could supply them with hundreds of credit and debit card details each week at a cost of $10 dollars a card.

After the reporters agreed to initially buy the details of 50 cards, the man handed over a list of 14. He said the remainder would be sent later by e-mail.

The man claimed some of the numbers had been obtained from call centres handling mobile phone sales, or payments for phone bills.

Back in the UK, the broker continued to supply card details to one of the undercover reporters by email.

Nearly all of the names, addresses and post codes sold to the BBC team were valid. But most of the numbers attached to them were invalid - often out by a single digit.

However, about one in seven of the numbers purchased were valid - active cards still in use by UK customers. Their owners could have been subjected to fraud if these cards had fallen into the hands of criminals.


The BBC team contacted the owners of these cards and warned them that their details were now being bought and sold in India.

Three of those customers had, within hours of each other, bought a computer software package by giving their credit card details to a call centre over the phone.

Within hours of making the purchase, their details were fraudulently sent on to the reporters.

One of the victims said he was "disturbed" at what had happened.

Allan Little telephones the fraudster to confront him about what we found
http://news.bbc.co.uk/1/hi/uk/7952423.stm

The software was made by Norton, which is part of the Symantec corporation.

Symantec, which launched an investigation after being informed of the the undercover probe, said the leak had come from a single source which has now been removed.

In a statement it said: "We are investigating how this incident happened and will take any appropriate steps to address any opportunities for improvement in our processes.

"We have engaged with the local law enforcement officials in India and will cooperate fully with that investigation. We are in the process of reviewing all possible options to manage this third party call centre, including moving away from it."

A spokeswoman stressed that "rigorous security measures" are put in place at call centres. For example, staff are not allowed to take electronic devices, memory sticks, pens or pencils to their desks. Internet and email access is also banned.

Wrongdoing denied

Saurabh Sachar, the seller, denied any wrongdoing or illegal activity.

When told that he had been filmed taking money from undercover reporters, he said they had borrowed that money from him and were paying it back.

He said the piece of paper handed over to undercover reporters contained "some directions" and a "kind of balance sheet".

And, when accused of providing credit card details he said they were "not correct". Mr Sachar also denied sending more details by e-mail.

Credit and debit card fraud cost the UK banking industry £609 million in 2008 - a rise of 14% on 2007.

Much of that fraud comes from transactions where the card is not physically present, such as telephone or internet sales.

The UK and the EU have stringent Data Protection laws. India has recently tightened up its rules governing the use of Information technology, but it has no data protection legislation.

"India is only paying lip service to data protection," the Data Protection lawyer Pavan Duggal told BBC News.


"We don't yet have a dedicated legislation on data protection. Until such times as India comes across with strong stringent provisions on data security we will have instances like this keep on happening."

The huge expansion in credit card use in recent years has produced a new kind of fraudster - one that will try to exploit any opportunity to reach into almost any credit or debit account that is used to make telephone purchases.

Careers website Monster.com and USAJobs.gov, the official job site of the US Federal Government, have published security alerts to their customers warning of a serious hacking attack.

Feeling a sense of deja vu? Well, you should be as this has happened before.

It appears that Monster.com's database and USAJobs.gov's database were compromised and contact and account information was stolen. Data stolen included users' login names, passwords, email addresses, names, phone numbers and some demographic data.

Here is a short video I have made, explaining the possible impact of this security breach - and explaining why you should take this opportunity to think long and hard about whether you are acting securely with your website passwords:


What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo.

Monster has published a warning for its users, advising them to change their passwords. A similar alert has appeared on the USAJobs.gov website, whose database is run by Monster.



Although the warnings are keen to emphasis what information has not been breached during the attack (for instance, social security numbers), it is important to understand the serious risks that Monster and USAJobs customers may be placed in because of this incident.

One very real risk is that hackers will use the email addresses and personal information they have received to mount a realistic phishing campaign, attempting to gather more sensitive information about victims. Phishing emails which attempt to look more legitimate by using the recipient's real name and other personal information (such as user id, phone number or location) are always more successful at social engineering further details that could be used for indentity theft out of people.

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

That means that if hackers have managed to extract your Monster.com or USAJobs.gov password in this attack, they might be able to use it to break into your email accounts, or the likes of eBay, PayPal, Amazon, and indeed any other website that you have used the same password for.

So, if you use Monster.com or USAJobs.gov you should change your password now. Choose a sensible password that is not a dictionary word and that is hard to guess. And *then* change your passwords at any other site where you might be using the same password. Make sure, of course, that it's not the same password as the one you are using at Monster - you don't want to make that mistake again.

Worryingly, this isn't the first time that Monster and USAJobs have been targeted by hackers who have stolen data about their users. 18 months ago, as this 2007 report from Reuters reveals, hackers used the Monstres Trojan horse to steal details of jobseekers via recruiter accounts. That hack was unsurprisingly followed up by a widespread phishing email campaign.

Hundreds of Twitter users have been hit by another attack on the popular micro-blogging site, with messages being sent from compromised accounts trying to drive traffic to a pornographic website.

The messages which say

hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com

are being spammed out as Tweets.



However, the index page of that website serves up obfuscated JavaScript that loads a variety of pornographic adverts and contains a web form directed to a site called eroticgateway.com.



Clearly, if a hacker has managed to ascertain your Twitter password there is a chance that they may have also compromised your system in other ways too.

Any Twitter users who find that they have unwittingly posted the message would be wise to change their Twitter password immediately. Furthermore, if you use that password on any other non-Twitter account then you must also change those passwords too (please *don't* make it the same as your new Twitter password.

As we don't yet know how the hackers compromised accounts, it wouldn't do any harm to scan your computer with an up-to-date anti-virus product either.

Twitter has confirmed that approximately 750 accounts were hijacked by criminals during the course of this attack, and says that they have reset the passwords of all compromised accounts. That should stop the tidalwave of spam messages advertising adult webcam websites for now.

But there is still a lack of clarity of how the accounts were compromised in the first place.

Finally, one extra thing to throw into the mix. Last month, Facebook users reported seeing a very similar message.



You don't have to be Albert Einstein to put two and two together, and deduce that these attacks must be related.

We're seeing more and more attacks from spammers, phishers, malware authors, scammers and identity thieves against the users of social networks like Twitter and Facebook. These aren't just proof-of-concept attacks in controlled conditions - they're full-blooded assaults seen in the wild every day, making money out of real people.

Source: Sophos.com

Other sites also vulnerable to CSS attack

eBay scammers have been exploiting unpatched vulnerabilities in the Firefox and Internet Explorer browsers to deliver counterfeit pages that try to dupe people surfing the online auction house to bid on fraudulent listings.

The attacks managed to inject eBay pages with hostile code by exploiting bugs long known to afflict Firefox and IE. While eBay has managed to block the exploit from working on its domains, other websites that accept user-generated content may still be vulnerable to the attacks, web security experts warn.

Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks.

The evil genius behind the eBay scheme managed to pull off what amounts to an XSS, or cross-site scripting, attack that injected forbidden javascript elements stored on third-party websites. That allowed the eBay pages to contain outside email links and other unauthorized code while still evading toolbars designed to detect fraudulent listings.

In addition to injecting a link that automatically prompts users to email the seller at an aol.com address, the scam used a random number generator to change the item number each time the page was loaded. Item numbers are supposed to be unique and are used to report fraudulent listings. Changing the number made it harder for eBay's fraud busters to remove bogus auctions.



The attacks targeted Firefox by exploiting the way the browser implements what's known as XBL, or XML binding language. By invoking a rogue CSS, or cascade style sheet, hosted on a third-party site, the Mozilla browser was tricked into running forbidden code that injected fraudulent content into the listings. Over the past week, there has been considerable debate among Mozilla security volunteers about whether the condition amounted to a security vulnerability or an intended feature. They decided to make changes to the browser after witnessing the eBay scams that abused it.

"Patches are being constructed to get rid of an existing useful feature due to the patent inability of some websites to take elementary protective measures even after 5 years of the feature existing and after being repeatedly told to NOT link to external sheets by all browser vendors," one debate participant wrote El Reg in an email. "Note that the patch won't really help eBay much unless they really do start filtering the CSS they allow, since so much can be accomplished with just CSS."

A similar bug also related to off-site CSSes allowed the eBay attacks to work flawlessly on IE browsers, as the above screenshot makes clear. The exploit targeted IE functionality commonly referred to as expressions that has long been a known vector of XSS exploits. While IE 8 has been locked down to prevent such attacks, versions 6 and 7 of the Microsoft browser have not, and Bill Sisk, Microsoft's security response communications manager, said there are no plans to add such protections to the older browsers.

"Our investigation has shown that it is not a vulnerability in Internet Explorer," Sisk wrote in an email over the weekend. "In fact, the claim represents a method by which malicious attackers can exploit specific functionality in websites to bypass security measures. The nature of these attacks is not new and website operators commonly have protections in place to mitigate against such attacks."

Except when they don't, as was the case last week when eBay was hit by the attacks. Company spokeswoman Nichola Sharpe issued a statement that read in part: "This is not a new security threat, our online security experts are already aware of this and have identified it as a known bug in Firefox. eBay utilizes sophisticated security technologies to protect our customers against attacks such as this. We continually update our security to deal with emerging threats - and have done so with this threat."



Maybe, but eBay took more than 24 hours to remove one such fraudulent listing after it was reported, said Cefn Hoile, a browser security expert who first reported the Firefox issue.

"eBay has to take some responsibility for sure," Hoile wrote in an email. "They chose to serve this content which incorporated the third party stylesheet."

The only way to effectively protect users from such attacks is to white-list filter a set number of CSS functions deemed to be safe and to block everything else. That may be patently obvious to some, but if eBay has only now gotten around to implementing such measures, it's a good bet plenty of other websites are still wide open to this attack. Which means we wouldn't be surprised to see more attacks like these coming to a Web 2.0 site near you.

Facebook and Google get pat on head

US federal regulators are telling online advertisers like Google and Facebook to crack down on scam artists that are promising users a personal slice of Obama's $787bn economic stimulus package.

Fraudster ads and emails have mushroomed in recent weeks tempting debt-laden patsies with the quick fix of "free" stimulus grant money – all they need to do is provide personal information, download software, or provide a small down payment. It's a typical online scam at heart, but the ruse using Obama as bait has attracted special attention from the US Federal Trade Commission.

Eileen Harrington, acting director of the FTC's Bureau of Consumer Protection, warned in a press conference on Wednesday that stimulus scam ads are now being plastered on social networking sites, streaming video sites, search engines, and more. She said the FTC has already reached out to Facebook and Google to start blocking the ads and both have been cooperative. When asked if other websites have been less congenial, Harrington said she's not going to name them now, but they "will be hearing from us."

"I would hope that this would really be a showcase opportunity for online media companies to do meaningful ad screening," she said. "We spent a lot of time at the Federal Trade Commission educating advertisers how to screen for and remove problematic ads, and this one should be a no-brainer."

She said a typical example of the stimulus scam is located at presidentobamagrants.com (the website is currently down, and we don't suggest you go there anyway). The site promises $25,000 in free grant money to pay off personal debts once you sign up. The catch is in the terms of service contract, which most users tend to click through without reading. By signing up the users agrees to an initial $1.99 charge for a trial membership. But if you don't cancel in 40 days, the user gets billed a fee of $99 for full membership. After that, there's an extra $49.95 charge every month for access to the website's "resources." Signing up also automatically enrolls the user into 21 day trial of a second program – which charges $29.95 per month if not canceled.

"These websites tout free money for you, but as the saying goes, the devil is really in the details," Harrington said.

Facebook received a special nod from the FTC for being quick to pull stimulus-related scam ads. At the press conference, Harrington brought along Joe Sullivan, Facebook's top lawyer, who said the website began noticing ads five weeks ago, before the Commission contacted the company. Sullivan said the scams were spotted through a combination of Facebook's own vetting process and the website's "thumbs up / thumbs down" user feedback function on advertisements.

Google also received a nod from the FTC, although the language Harrington used was that the search engine said it's "committed to investigate stimulus-related ads that violate its anti-scam policy." Obviously, the scope of ads being served by Google is much larger than Facebook's, but Obama stimulus grant ads are still quite prevalent as of today.

The FTC said it won't discuss whether it's currently going after any of the fraudsters, although Harrington noted the Commission has "broad authority to take action against unfair advertising practices." She said some of the remedies the agency could seek range from prohibiting certain claims in the ads, shutting down the websites, or ordering that money be returned to customers.

Whether the federal hammer is dropped or not, the FTC wants ad-serving websites to take the initiative.

"It doesn't benefit anyone to go to a legitimate website and get pitched by scam artists," Harrington said.

The FTC warns unwary surfers that the stimulus package doesn't include any grants for personal financial assistance. Lists of actual government grants are also published online for free.

The British newspaper Mail Online reports that a local postman was scammed out of his life savings by an an attractive female "friend" he met on the popular online community site MySpace.

Saving the Damsel in Distress

The postman, Shane Symington, seems like a nice fellow who was simply trying to help a fellow human being. He befriended an American woman named 'Angela Gates' on MySpace in 2007. After a few weeks of friendly banter, the woman began asking for money to pay for her mother's funeral and for medical expenses.

What could Shane do but rush in and save her from her predicament? She needed him!

In order to hit every soft spot Shane had, 'Angela' also told him she needed more money to pay for legal fees that would allow her to inherit a $2 million piece of property. Anyone who's studied Advanced Fee Fraud scams will recognize this kind of story.

Damsel Turns Out to Be a Dude

Unfortunately, it appears Shane hadn't studied much about scams. It turns out this attractive, bikini-clad and potentially rich American woman was really a Nigerian man. Surprised? I doubt it.

After emptying Shane's bank account the Nigerian man even contacted Shane and admitted his fraud, but the story doesn't end there.



From the Mail Online:

He was then contacted by another woman, again from America, claiming she had also been caught in the scam.

He said that he then helped pay her legal expenses and the cost of hiring two ex-FBI agents in an attempt to regain the lost money for both of them.

Mr. Symington said that he now believes that these people are also involved in the scam. He said that he had paid out more than £30,000 to them, bringing his total losses to more than £130,000.

Ouch!

The lesson to learn here is that when this scammers find a victim, they hit them with multiple scams from multiple people until they have milked their target completely dry.

What does Shane have to say about all of this:

I feel sick from it all, I feel disillusioned, they have just played on my good nature. I've lost my life-savings, I have two loans and credit card debts, I'm in huge debts because of all of this.

You just can't trust anyone on the internet. I want to warn people but I know I won't be the last to fall for something like this.

The police in Hampshire working the case said that there's little they can do to recover the money because of the current political situation in Nigeria.



What Can We Do?

These stories are hard to read. We can't believe someone can be so easily manipulated. So what can we do? I suggest you help your friends, relatives, and neighbors by educating them about these kinds of scams. Shane said it best - "I won't be the last to fall for something like this."

Don't let it happen to someone you know.

Bring in the usual suspects

Facebook has launched a lawsuit against infamous junk mail merchant Sanford "Spamford" Wallace.

Wallace, along with co-defendants Las Vegas night club manager Adam Arzoomanian and Scott Shaw, face charges of violating the CAN-SPAM Act of 2003. Mediapost adds the the suit covers allegations that Wallace and his business associates spammed Facebook members with wall posts that posed as messages from their friends. The gang allegedly hacked into accounts using phishing techniques before sending the offending messages.

Facebook's legal action comes three months after the social networking site was awarded $873m in a suit against Adam Guerbuez and his firm Atlantis Blue Capital for violations of US federal anti-spam laws. Guerbuez did not contest the action, which would otherwise have cleared up the undecided legal point on whether or not the CAN-SPAM Act applies to messages sent through social networking websites.

Wallace is no stranger to accusation of malicious marketing activities on social networking websites. Wallace and business partner Walter Rines were ordered to pay $230m to MySpace last May after a court held them responsible for using malware and social engineering to promote porn and gambling sites. That action was also uncontested by the defendants.

It May Be "Salami Slicing." It May Be Petty Theft.

The latest identity theft scheme doesn't aim to empty your debit account or charge you to the credit limit—not yet anyway. According to The Boston Globe, at least 800 credit and debit cardholders have reported finding tiny fraudulent charges on their statements in recent weeks.

The charges range from 21 to 48 cents, and are billed under at two phony business names: "Adele Services" and "GFDL."

The mysterious charges have lead to a range of speculation over the nature of the scam. Some think that the small charges are meant to test the validity of a registry of stolen credit card numbers which may have been resold by the original thieves. If the theory is correct, those whose cards have already been charged can probably expect to be targeted for much larger amounts down the line.

A Slice of Salami

A less likely theory parallels the scam attempted by the main characters in the movie "Office Space," which featured three disgruntled computer programmers who attempt to slowly embezzle money from their company, pennies at a time. The scheme is sometimes referred to as "salami slicing", but usually targets businesses or customers rather than an unconnected group of individuals.

If this theory holds, those who fail to notice that their accounts have been compromised will continue to be targeted for small amounts of money indefinitely. Most likely, the thieves would have to create new false companies with each wave of thefts.

Plan of Action

Regardless of the intent of the perpetrators, the course of action for those who notice small, unexpected charges on their debit and credit card statements is the same:

1. Report the charges to your bank or other financial institution.
2. Report your card stolen so that you can be issued a new credit card and credit card number.

As always, it's important for everyone to pick carefully through their statements each month (if not more frequently,) looking for charges they don't recognize. Whether a questionable charge is 1 cent, $1, or $100, it should always be treated as a potentially serious problem.