Winter Garden Corp has discovered that cyber thieves have used their company name, logo and identity information (location, phone number, tax id) to create fake companies and recruit unwitting people to be employed by a fake company, with the goal being to move money that was stolen from online bank accounts.

Over the last several months I’ve come to the conclusion, as have a number of my colleagues in the security industry, that the real limitation to online fraud is not the number of consumers who fall for phishing attacks, or the number of corporate laptops that are infected with invisible banking malware like Zeus. Instead, the real limitation is the number so-called money mules. Mules are people who think they are working for a real company, and who’s job it is to move money from bank accounts, into Western Union, PayPal, etc.

When a cyber thief gets access to a consumer’s or company’s bank account online, by stealing their username and password, or by infecting their computer with invisible malware like the Zeus trojan, then need somewhere to transfer the money. They do not want to transfer the funds directly to their own bank accounts, in order to avoid detection and prosecution by the police. Instead, they recruit mules to act as middle men. This makes detection by law enforcement extremely difficult.

It is very interesting to see that companies are seeing their own “identities” being spoofed in order to create realistic covers to recruit more unwitting mules. This is very interesting given the recent news that the chief of Interpol had his identity spoofed.

Ronald Noble, the head of Interpol, the international police organization, has announced that he had his identity stolen on the Internet. He made this announcement this week in Hong Kong at Interpol’s first cyber security conference.

“‘Cyber-crime is emerging as a very concrete threat. Considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face.”

It appears that what happened was that his identity was not actually “stolen”, rather it was spoofed.

Several accounts were set up on Facebook that purported to be Ronald Noble, but were not owned by him. The owners of those accounts then used that fake identity to send emails to various law enforcement agencies and others, in order to glean information about confidential investigations, notably Operation Infra Red.

This brings up some points of interest:
– why do law enforcement people think that a top Interpol manager would communicate with them over Facebook?
– OK, maybe I can see why they would, since there are many officials and executives who use Facebook
– I bet that Interpol has a policy against using Facebook
– But, they should be monitoring it and perhaps pre-emptively owning account names of senior executives

This last point really holds true for all companies and really for anyone. Even if you do not plan to use social networks, you might want to “own” your identity on those sites. If you do not, then someone can register an account in your name and start doing malicious activities.

Cesar Carranza, 38, also known as “uBuyWeRush,” has been sentenced to 6 years in prison for conspiracy to launder money. He worked with the online criminal underground to provide them machines that were used to create fake credit cards, using data that was phished or stolen from card processing databases such as the TJX credit card breach.

Carranza met criminals on online forums such as CarderPlanet and Shadowcrew. He eventually grew his business to include assisting money mules in laundering money by moving it between various bank accounts and online payment services like e-Gold. He is accused of laundering $2.5 million.

Read the 2008 indictment here.

I’m happy to report that the IronKey Enterprise S200 devices have entered the UK Government Communications Headquarters (GCHQ) CAPS security review process. You can read more about it here.

I’m happy to report that the IronKey Enterprise S200 devices have entered the UK Government Communications Headquarters (GCHQ) CAPS security review process. You can read more about it here.

IronKey Enterprise is undergoing UK Government Cryptographic Product Validation Program

Enterprise solution in CESG Assisted Products Service (CAPS) evaluation

James Hall of Complete Source, IronKey Elite Solution Provider and largest IronKey reseller in the UK commented “This is fantastic news……now any Government organisation has hard confirmation that IronKey is the right product. Many have already purchased IronKey devices anyway since it was the best, most secure solution available and the only one with FIPS 140-2 Level 3 accreditation, but now that choice has been vindicated by the device’s entry into the CESG product validation program”

London, September 15, 2010

The CAPS program was introduced to meet the increasing governmental demand for cryptographic products, the CESG Assisted Products Service (CAPS) provides independent verification that cryptographic products meet Government standards and then formally approves their use by UK Government agencies and the wider public sector.

IronKey Enterprise enables organisations to remotely administer policies across thousands of devices over the Internet. If needed, administrators can remotely disable or remotely wipe devices. In addition to storing data, IronKey Enterprise devices are increasingly being used to store and run portable applications.

Jevans concluded, “At a time when the Information Commissioners Office has highlighted the poor record of government organisations in the area of data protection – and the fact that the ICO can now fine organisations up to £500k – there is huge pressure to better understand how to protect data whilst ensuring their employees can work securely from any location. With IronKey Enterprise, organisations have the peace of mind that if a device were lost the data could is protected from compromise.”

About IronKey, Inc.:

I read an interesting post on the or-talk mailing list this week. This user, Scott Bennett, claims to have found:

• 10 that were reported to be run by a federal agent of some sort and were not
• listed as a Family at the time
• 2 impersonators of blutmagie
• 1 that illegitimately claimed to be a directory authority
• a group of 10 not listed as a Family that also inserted text into exit streams on port 80
• 11 others that inserted text into or substituted their own web pages for port 80 exit streams
• 8 that consistently truncated image files
• 1 that redirected port 80 streams to a spyware page
• 1 that allowed DNS hijacking
• 1 that censored exits to certain IP addresses and/or ports instead of defining its ExitPolicy correctly
• 3 that falsified SSL certificates into exit streams for MITM attacks

It’s interesting that the public Tor network can also be used by criminals to distribute malware, by modifying the web pages that you see if you surf through their exit node.

The technology blog TechCrunch was hacked yesterday. Hackers used a flaw in the WordPress infrastructure of the blog, and posted links to remotely hosted PDF files that are infected with the infamous Zeus banking trojan.

Graham Cluely at Sophos said: “The problem appears to have been present on TechCrunch Europe’s website for some time, and yet there’s been no obvious warning to visitors posted on its site nor – seemingly – no attempt to remove the malicious script or block users from visiting the infected pages.”

This incident highlights the lengths that hackers will go to in order to infect as many computers as possible with malicious software. In many cases, criminals pay other hackers to distribute the Zeus banking trojan. By posting links to it on a popular blog site, they can potentially expose the computers of hundreds of thousands or millions of readers to infection. It also shows that even if you have great spam filters, and are careful which websites you visit, you can still get infected if a site gets hacked.

Another infection vector we’ve seen is when hackers use so-called “malvertising”. This is when they post online ads on legitimate websites, but if a user clicks on the ad, they are taken to a site that tries to infect their computer with malware.

I will be speaking next week in Washington, DC, at the Online Trust Alliance conference. One of the topics is malvertising.

Microsoft security researcher Cormac Herley recently said “Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords”

I couldn’t agree more.

He also had some good thoughts around password strength. In my experience some companies jeopardize their security posture by requiring strong complex passwords, and making users change them every 90 days. Users cannot remember these things, and end up writing them down on stickies and in note pads.

A Norton report claims that fully 2/3rds of the world’s population has been a victim to some kind of cyber crime, whether it be malware, viruses, credit card fraud or identity theft.