You might be surprised by how valuable your personal information is to cyber-criminals. This article from Dark Reading contains a menu of stolen credentials along with some interesting insights into the cybercrime economy. Definitely worth a read. [Via @SecBarbie]
A cautionary tale of cloud computing… apparently, a Google Groups group set up by the Japanese Ministry of the Environment to (internally) share documents and messages regarding negotiations about an international treaty was misconfigured, leaving the information therein world readable. Cloud computing is here to stay folks and governments, companies and other organizations (and their security folks) need to figure out ways to keep confidential data either out of the cloud or, better yet, safe in the cloud. IMHO, we need cloud providers to come up with creative ways to allow organizations to encrypt particularly sensitive data with keys controlled by the data owner.
For your social engineering reading pleasure… the take aways? First, operational security is important – this scam worked (at least for a while) because the scammer was able to speak the language of her victims, as she was familiar with Lowes procedures and systems. Documentation and information capable of making an outsider seem like an insider or which gives a technical hacker names of systems, IP addresses and the like needs to be protected from unauthorized access. Second, educating your users to be suspicious of out of the ordinary requests from (seemingly) internal sources should be a key part of your security awareness strategy.
FOR FURTHER INFORMATION CONTACT
AUSA VICKIE E. LEDUC or
MARCIA MURPHY at 410-209-4885
June 24, 2013
FOR IMMEDIATE RELEASE
WOMAN PLEADS GUILTY TO DEFRAUDING LOWE’S STORES BY FRAUDULENTLY OBTAINING GIFT CARD CREDIT
Defrauded Lowe’s of at Least $250,000 by Calling Lowe’s stores and Pretending to be from Lowe’s IT Department
Baltimore, Maryland – Lucerte “Lisa” Abellard, age 35, of Dobbs Ferry, New York, pleaded guilty today to conspiracy to commit wire fraud in connection with a scheme to defraud Lowe’s stores.
The guilty plea was announced by United States Attorney for the District of Maryland Rod J. Rosenstein and Acting Special Agent in Charge Lisa Quinn of the United States Secret Service – Baltimore Field Office.
According to her plea agreement, Abellard called employees at Lowe’s stores around the United States, pretending to be from the “IT department” at Lowe’s headquarters, telling the Lowe’s employee that she received a report there were problems with a register at the Lowe’s store. She would then ask the employee to run a series of diagnostics on the register, often pretending to be able to see the tests remotely. The purported diagnostics ended with a “test” transaction that put a credit on a Lowe’s gift card – usually about $3,000 to $4,000. In reality, this “test” transaction put a credit onto a Lowe’s card possessed by Abellard or her co-conspirators. Abellard was usually successful in deceiving employees into believing she was calling from Lowe’s IT department because she was very familiar with Lowe’s internal procedures and systems – including the names of systems and databases routinely accessed by Lowe’s employees.
Abellard received a portion of value on the gift card she fraudulently credited from the co-conspirators to whom she sold the cards. After obtaining the fraudulent credit, Abellard would contact the co-conspirator that had paid her for the card, advise that person of the credit and that the card needed to be used quickly before Lowe’s detected the fraud. Phone records connect Abellard and her co-conspirators to the fraudulently obtained gift cards, and confirm that Abellard made most or all of the fraud calls to Lowe’s stores.
The total loss to Lowe’s as a result of the scheme was more than $250,000. The government contends that Abellard was the leader of the scheme and will offer evidence to prove that at sentencing
Abellard faces a maximum sentence of 20 years in prison and a fine of $250,000. U.S. District Judge Ellen L. Hollander scheduled his sentencing for September 26, 2013, at 10:00 a.m.
Today’s announcement is part of efforts underway by President Obama’s Financial Fraud Enforcement Task Force (FFETF) which was created in November 2009 to wage an aggressive, coordinated and proactive effort to investigate and prosecute financial crimes. With more than 20 federal agencies, 94 U.S. attorneys’ offices and state and local partners, it’s the broadest coalition of law enforcement, investigatory and regulatory agencies ever assembled to combat fraud. Since its formation, the task force has made great strides in facilitating increased investigation and prosecution of financial crimes; enhancing coordination and cooperation among federal, state and local authorities; addressing discrimination in the lending and financial markets and conducting outreach to the public, victims, financial institutions and other organizations. Over the past three fiscal years, the Justice Department has filed more than 10,000 financial fraud cases against nearly 15,000 defendants including more than 2,700 mortgage fraud defendants. For more information on the task force, visit www.stopfraud.gov.
United States Attorney Rod J. Rosenstein thanked the U.S. Secret Service for its work in the investigation. Mr. Rosenstein praised Assistant U.S. Attorney Justin S. Herring, who is prosecuting the case.
Another day, another Android vulnerability which allows malicious actors to inject malicious code into Android applications without triggering cryptographic safeguards. And another reason to refrain from using app stores other than Google Play for the time being.
This article from the Guardian claims that our friends in Redmond are cooperating with the NSA to give the spying agency access to all sorts of cloud based comms and data as part of their 1984-esque PRISM collection program. The haul includes Skype audio, video, and chat messages, which were until recently thought to be resistant to eavesdropping.