Tag: Cybercrime

Female customers who shopped at a Sears store in North Hollywood, Calif., over the past three years may have been videotaped in the dressing rooms and restrooms, according to an attorney representing 25 women suing the retail chain.

The group is suing Sears and a former maintenance worker who allegedly videotaped them from 2009 to April 2012.

Michael Alder, the attorney for the plaintiffs, said an unknown number of female customers were also likely videotaped in the store during that period.

“There’s a lot of people who were patrons and don’t have any idea that they’ve been videotaped,” Alder said.

Alejandro Gamiz, 27, a maintenance worker who worked at Sears for seven years, who is accused of placing hidden cameras behind the walls of the store. He was arrested on April 12 for burglary and surreptitious filming of unsuspecting women by North Hollywood Area Sexual Assault detectives. Gamiz posted $20,000 bail and was released from custody.

The Los Angeles District Attorney’s office is still reviewing the case and has not yet filed charges against Gamiz. Gamiz did not return a request for comment.

Krystel Dean, an employee and one of the plaintiffs, said she was “shocked” when she learned of the secret videotaping.

“My heart immediately sank,” she said. “Not only have I used the restroom and dressing rooms, but my small children have used them as well. I feel like our privacy has been invaded.”

Dean is also suing Sears in the same suit for retaliation, saying her employer cut her work hours after she was the first to hire an attorney and speak to the media about the the alleged taping.

Of the women filing the lawsuit against Sears, 16 are employees while the other nine are store customers who believe they may have been taped, including four children. The plaintiffs’ last names, including Dean’s, were not included in the lawsuit.

The group filed a lawsuit against Sears on June 11 in the Los Angeles Superior Court, asking for unspecified compensatory and punitive damages for unpaid wages, mental and emotional distress, and attorney fees and costs, among other damages.

The plaintiffs said Sears knew or should have known that Gamiz had installed video equipment and created peep holes within the three years he had set up the equipment. They are suing Sears for invasion of privacy, intentional infliction of emotional distress, hostile work environment harassment, and negligent hiring, supervision, retention, among other charges.

Alder has invited other female patrons or employees who were in the dressing rooms or bathroom of the North Hollywood store in the three years before Gamiz was arrested to contact his law firm and visit the special website his law firm has established, SearsPeepingTom.com.

“As information gets out, they will realize they frequented that Sears for the last three years and undressed,” he said.

Kimberly Freely, spokeswoman for Sears Holding Corp., said the company could not comment because the litigation is pending.

“But as we said previously, and with all due respect to the associates who may have been impacted by this incident, no member of management or leadership in the company had any prior knowledge of the accused’s alleged conduct until it was discovered in our store,” she said. “At that point, we immediately launched an investigation and turned the matter over to the police.”

The lawsuit states that Gamiz created “peep holes” in women’s restrooms and dressing rooms, and children’s dressing rooms too. He then installed video equipment to record the women and children. He uploaded some of the videos to the Internet, according to the lawsuit, on a site that police have since been taken down.

The plaintiffs accuse Sears of turning a “blind eye” to Gamiz’s “suspicious behavior” during the course of his employment. The suit states that he “regularly and frequently purported to be performing maintenance” in the restrooms and dressing rooms, air ducts and crawl spaces, and “close off access to these areas” when “no maintenance was required, requested or necessary.”

Alder said Sears informed employees that video on Gamiz’s hard drive had been reviewed, and that the women were in some of the recordings. Alder is seeking access to the videotapes and hard drive that were confiscated by the police.

Read more

In an international hacking case, a Dutch man appeared in U.S. federal court today and pled not guilty to stealing at least 44,000 credit card numbers, according to the Associated Press.

Apparently, this is just the tip of the iceberg.

David Benjamin Schrooten, aka “Fortezza,” is being targeted by federal prosecutors for allegedly hacking into computers and stealing massive amounts of credit card numbers. Once he obtained the numbers, he allegedly sold them in bulk quantities via different Web sites. The 44,000 is reportedly from just one sale.

Police caught onto Schrooten’s alleged heist last November after a Seattle restaurant owner contacted the police. According to the Associated Press, several customers who ate at the restaurant got suspicious charges on their cards. Some were even getting charged $70 to $80 in as little as 10 minutes after using their cards at the restaurant.

Local and federal authorities eventually caught onto the trail of one of Schrooten’s alleged partners, Christopher A. Schroebel, 21, who was living in Maryland. According to the Associated Press, Schroebel put spying malware in the sales systems of dozens of business. Investigators said that the two alleged hackers worked together to create Web sites to sell the credit card numbers.

Schroebel was arrested in November and pled guilty to federal charges last month. His sentence is not yet set.

As for Schrooten, who is also 21, he was arrested in Romania and landed in Seattle on Saturday to attend his hearing in court today. He is being charged with access device fraud, identity theft, and 12 other federal counts. Police told the Associated Press that the investigation into Schrooten’s cybercrime ring is ongoing.

“People think that cyber criminals cannot be found or apprehended. Today we know that’s not true. You cannot hide in cyberspace,” U.S. Attorney Jenny A. Durkan said at a news conference, according to the Associated Press. “We will find you. We will charge you. We will extradite you and we will prosecute you.”

Read more

Legislation in Illinois – Senate Bill 2545 (SB 2545) – that would create the “Internet Dating Safety Act” requiring Internet dating websites offering services in Illinois to disclose if they conduct criminal background checks on all their members or post warnings online that they do not conduct criminal background checks has passed both the House and Senate and now heads to Governor Pat Quinn to sign. Introduced by State Senator Ira Silverstein (D-Chicago), the full text of the bill is available here: (SB 2545) “Internet Dating Safety Act”.

According to a brief synopsis on the SB 2545 status page on Illinois General Assembly website, the Internet Dating Safety Act:

  • Requires Internet dating services offering services to Illinois members to provide a safety awareness notification to all Illinois members.
  • Provides that if an Internet dating service does not conduct criminal background screenings on its members, the service shall disclose, clearly and conspicuously, to all Illinois members that the Internet dating service does not conduct criminal background screenings.
  • Provides that an Internet service provider does not violate the Act solely as a result of serving as an intermediary for the transmission of electronic messages between members of an Internet dating service.
  • Provides that the Attorney General, pursuant to the Illinois Administrative Procedure Act, shall adopt rules and regulations to effectuate the purposes of the Act.
  • Amends the Consumer Fraud and Deceptive Business Practices Act.
  • Provides that it is an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act for an Internet dating service to fail to provide notice or falsely indicate that it has performed criminal background screenings in accordance with the Internet Dating Safety Act.

If passed, the Internet Dating Safety Act would take effect immediately.

Online dating background checks have become more commonplace as more people join internet dating websites. As reported previously in the ESR News blog, three of the nation’s leading online dating websites – eHarmony, Match.com, and Spark Networks – and the California Attorney General issued a ‘Joint Statement of Key Principles of Online Dating Site Safety’ that online dating providers should follow to help protect members from sexual predators through background checks.

The joint statement followed the 2010 sexual assault of a Los Angeles-area woman by a man she met through Match.com who had several previous sexual assault convictions prior to the attack. The company settled a lawsuit with the woman after she sought a court order requiring Match.com to background check applicants for sex offenders.

However, Internet dating websites may create a false sense of security by saying they do background checks on members if the screenings performed are not extensive enough and use only online database searches for sex offenders prone to errors and omissions, according to safe hiring expert Attorney Lester Rosen, founder and CEO of San Francisco-area based background check firm Employment Screening Resources (ESR).

“Databases can be notoriously inaccurate, so people still need to understand that they are responsible for their personal safety,” says Rosen, the author of ‘The Safe Hiring Manual,’ the first comprehensive guide for background checks. “Database searches are subject to false negatives and false positives and have issues with accuracy, timeliness, and completeness. They can also cause harm by creating a false sense of security.”

Read more

50 Million Fake Facebook Accounts

Facebook estimates that as of December 31, 2011, false or duplicate accounts represented approximately 5-6% of monthly active users, but also stated, “This estimate is based on an internal review of a limited sample of accounts and we apply significant judgment in making this determination, such as identifying names that appear to be fake or other behavior that appears inauthentic to the reviewers. As such, our estimation of false or duplicate accounts may not accurately represent the actual number of such accounts.”

Why would anyone set up a fake Facebook account?

To steal your clients or potential clients. To squat on your name or brand. To post infected links while posing as legitimate individuals or businesses. To offer deals with links to spoofed websites in order to extract credit card numbers. To damage your name or brand. To harass you or someone you know. To co-opt a name or brand that has leverage in order to obtain privileged access.

Social media websites could go a long way in protecting their users by incorporating device reputation management. Rather than relying solely on information provided by a user (who could be an impersonator), device reputation goes deeper, identifying the computer or other devices being used, so that known scammers and spammers are exposed immediately, and potentially threatening accounts are denied and users abused.

Read more

Anonymous is one heck of a dangerous hactivist group. The collective has managed to break into and disseminate thousands of classified and downright dirty emails and records, take down dozens of major sites, all the while managing to be pretty much unstoppable.

But new evidence from a failed attack on the Vatican shows just how the supposedly leaderless organization operates.

The attack on the Vatican was a 25 day seige designed to disrupt the visit of the Pope to Madrid for World youth Day. Traffic to the Vatican’s website was 34 times greater than average, but the servers were able to cope with the strain.

But the interesting part about the attack is that, for most of the time, Anonymous wasn’t attacking. It was investigating.

Computer forensics show that a small group of individuals, who are probably skilled hackers, spent 19 of the 25 days searching the site for any holes that could be exploited to break into the system. Only when this strategy failed did Anonymous progress with the Distributed Denial of Service (DDoS) attack against the vatican, meaning that all those DDoS attacks we’ve seen are probably just because Anonymous couldn’t get in to steal information.

When trying to crack the system failed, Anonymous turned to Facebook and its cloud of willing participants, then launched a DDoS attack. As said Cole Stryker, an expert on the internet imageboard 4Chan, which seems to have a significant crossover with Anonymous: “Anonymous is a handful of geniuses surrounded by a legion of idiots.”

Basically, the evidence shows that Anonymous is a small group of hackers cloaking themselves in the veil of thousands of other people. Anonymous isn’t nearly so anarchic nor leaderless as it seems to be.

Read more

Credit card scam targets colleges, charities

CHARLOTTE, N.C. — For colleges and charities across Charlotte, finances depend on fundraising but now, Charlotte-Mecklenburg police say the institutions are being targeted by dubious donations.

Central Piedmont Community College was the first to alert officers when a donor requested a $9,000 refund.

Tom Bartholomy with the Better Business Bureau had not heard about the new scam until Eyewitness News told him.

The scammer makes a donation online using a fake or stolen credit card. Then, he or she contacts the college or charity, claiming there’s an error in the amount and that they want a refund to a different account number.

“The red flag really needs to be flying in your face when they’re asking for a refund to a different card,” Bartholomy said.

CPCC’s staff was suspicious.

“It was flagged early in the process and reported to the credit card company,” college spokesman Jeff Lowrance said.

While CPCC caught the attempted crime, police say other colleges have been fooled into refunds.

The BBB said it’s bracing for a big problem.

“We feel this is the tip of the iceberg and once they see this is going to work, it’s game on,” Bartholomy said.

Read more

Illinois to Pass a Background Check Dating Bill

We all know that dating via the internet can be a potentially dangerous thing. There’s always that little fear factor that reminds you that after no matter how many emails or chatting, you still might not know who’s sitting behind the other computer screen. Online dating services have long been a concern for those who could get caught in some weird Nigerian scam and end up losing far more than just a date, and no matter how safe they claim to be, it’s still the internet, and if the internet has taught us anything at all, it’s that creepers and trolls lurk everywhere. To be honest, you really just need to watch Datelines: How to Catch a Predator to know this.

But in Illinois, legislators are taking an action in the form of a proposed bill to help protect its residents who are looking to find love. House Bill 4083 (HB 4083) ‘INTERNET DATING SAFETY ACT’ – would require online dating sites to clearly and conspicuously disclose to all Illinois members if they conduct criminal background checks. HB 4083 would also require Internet dating services to provide a safety awareness notification to all Illinois members of safer dating practices

Also, if an Internet dating service does not conduct criminal background checks on its members, the service shall disclose to all Illinois members that they do not conduct criminal background checks in two or more of the following forms: e-mail message, “click- through” acknowledgement, member profile, or signup page. If an Internet dating service does conduct criminal background checks on all members, the service shall disclose to all Illinois members on the website pages used when an Illinois member signs up that they conduct a criminal background check on each member. Whether criminal background checks are conducted or not, the disclosure shall be provided bold, capital letters in at least 12-point type.

Although, we also know that a cursory background check is still potentially faulty. No superficial background check is going to tell you all the states in which a crime was committed, the exact nature of those crimes, or even what kind of intentions the person has. That might sound ridiculous, but to be honest, I’ve seen people who have squeaky clean records who are the worst people in the world. They’re compulsive liars and have a habit of stealing and torturing small animals.

And this false sense of security is what people who oppose the bill are fearful of. Performing and advertising the act that online dating services across Illinois would more than likely lead to a misconception about a persons need for basic internet dating safety. And this could directly lead to an up rise in violent and nonviolent crimes that are facilitated through internet dating services.

Hopefully, with the passing of this bill, people don’t forget themselves or their protection when they go to look for love on a dating site, and it only helps funnel out the potential criminals lurking on them.

Read more

As FBI and Scotland Yard investigators recently plotted out a strategy for tracking suspects linked to Anonymous, little did they know that members of the group were eavesdropping on their conference call and recording their plans.

The online vigilante group has released a 17-minute clip of a Jan. 17 conference call between investigators discussing evidence gathered against members of the group as well as upcoming plans for arrests. The group also released an e-mail sent out by an FBI agent to law enforcement agents around the world with a phone number and password for accessing the conference call.

The FBI has confirmed to the Associated Press that the recording is authentic.

FBI Conference Call Being Hacked

AnonymousIRC, a Twitter account purporting to be connected to the group, sent out a tweet on Friday with a link to an audio recording of the call, followed later by a message that read, “The FBI might be curious how we’re able to continuously read their internal comms for some time now.”

The call, between participants named Stewart and Bruce from Scotland Yard and the Los Angeles office of the FBI, began with the callers laughing over an inside joke about McDonald’s and cheese, then moved on to a discussion about a cyberconference in Sheffield. A few minutes later another agent from FBI headquarters in Washington, D.C., joined in.

At that point, the participants began talking about Ryan Cleary and Jake Davis, two U.K. suspects linked to Anonymous. The investigators also discussed setting back arrests connected to two suspects known online as Tflow and Kayla. On the call the agents appeared to give the real names of these suspects, but Anonymous bleeped them out. The U.K. investigator notes that local authorities have made a secret application to a judge to request a delay in proceedings to assist the FBI.

“We’ve set back the further arrests of Kayla and Tflow, that being [redacted] and [redacted], until we know what’s happening,” the U.K. investigator said. “We’ve got our prosecution counsel making an application in chambers, without defense knowing, to seek a way to try and factor some time in that won’t look suspicious.”

“How much time do you think is reasonable?” the U.S. caller asked.

“I’ve gone and said eight weeks, if they come back and say they’ll only give us six weeks I think it still helps you guys out…,” was the reply. “We have got Ryan Cleary’s indecent images, which have been found partly by our guys and partly by the USAF team who looked at his hard drive. So what we’re going to propose is that they get dealt with first, historically they’re the older offenses, and then that would take six to eight weeks before we then rolled onto the second half of that. But it’s down to the trial judge.”

The FBI agent thanked the Yard investigator for being flexible and helping out U.S. authorities.

“Hey, we’re here to help,” the Yard investigator responded. “We’ve cocked things up in the past, we know that. It gives us more time to examine the chat logs in any event, so it’s not that much of a hardship.”

The discussion then turned to another 15-year-old suspect who used the online moniker Tehwongz, and who was apparently arrested in the U.K. before Christmas for DDoSing his school and allegedly defacing the website of a Manchester-based credit union. The U.K. agent explained that the hacker wrote a statement revealing how he became a hacker and allegedly asserting that he was responsible for the hack of the gaming site Steam, which suffered a breach last year.

The FBI investigator noted that the agency’s Baltimore office was looking into the compromise and would be interested in seeing the hacker’s statement.

“He’s just a pain in the bum,” the Yard investigator said in the call, adding that investigators had a copy of the suspect’s hard drive and would look at prosecuting him for the Steam hack if they can make evidence against him.

Read more

New Version Of Carberp Trojan Targets Facebook Users

Malware attempts to steal money by duping the user into divulging an e-cash voucher

A new version of the Carberp Trojan attempts to steal money from Facebook users by duping them into divulging an e-cash voucher, researchers say.

“Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is ‘temporarily locked,’” says Trusteer CTO Amit Klein in his blog. “The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro [approximately $25 US] voucher number to ‘confirm verification’ of their identity and unlock the account.

“The page claims the cash voucher will be ‘added to the user’s main Facebook account balance,’ which is obviously not the case,” Klein states. “Instead, the voucher number is transferred to the Carberp bot master, who presumably uses it as a cash equivalent, thus effectively defrauding the user of $25.”

The emerging man-in-the-browser (MitB) attack exploits the trust users have in Facebook and the anonymity of Ukash e-cash vouchers, Klein writes. “Unlike attacks against online banking applications that require transferring money to another account — which creates an auditable trail — this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately, anywhere they are accepted on the Internet.”

This type of attack is likely to grow as e-cash becomes more frequently used, Klein warns. “Like card-not-present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime,” he says. “With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions.”

Carberp, like its predecessors Zeus and Spyeye, infects machines through malicious files — such as PDFs and Excel documents — or drive-by downloads, according to a blog about the Carberp Trojan published by security firm Context Information Security. “In most cases, Carberp will persist undetected by antivirus software on the infected machine using advanced stealth, anti-debugging, and rootkit techniques, and is controlled from a central administrator control panel that allows the attacker to mine the stolen data,” the Context blog states. “Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.” The malware uses multiple layers of obfuscation and encryption to remain hidden from malware analysis tools, the Context blog says. “Once embedded and decrypted, the real infection begins with malicious file dropping and process injection steps that provide a backdoor to the host under attack.”

Read more

Hackers prey on smartphone use at work during holidays

The convergence of two trends has created a ripe opportunity for hackers looking to crack into corporate networks this holiday season.

More people than ever are using their personally owned smartphones as an essential work tool. And now an unprecedented number of them are using their smartphones to hunt for bargains and buy gifts.

This development has created a new tier of risk for corporate networks, says John Pironti, an adviser with ISACA, a global IT professionals association. “Cybercriminals are actively trying to leverage mobile devices as part of their attacks,” he says. “The holiday season provides them a perfect time to test out new attacks.”

Roughly 50% of mobile device users are likely to use their smartphonea or touchscreen tablet computera to shop this year, up from 22% in 2010, according to a recent survey of 1,215 mobile device users conducted by Webroot .

An ISACA survey found that smartphone users planned to spend an average of 32 hours shopping online this holiday season – 18 of which will be on devices also used for work.

Employees have begun using their smartphones to download coupons and price-comparison apps and to make online purchases. That puts consumers and their companies at elevated risks, say technologists and security experts.

“In our bring-your-own-device to work culture, people are using smartphones for both personal and business use — and attacks on these devices are on the rise,” says Harry Sverdlove, chief technology officer at network security firm Bit9.

Smartphone attacks are in their infancy compared with PC hacks. They mostly come in the form of malicious apps for games, music and ringtones that phone users get enticed to download, says Armando Orozco, mobile threats analyst at Webroot.

“When installed, these apps gain control of your device to transmit your personal information, control search results and send text messages to premium numbers,” Orozco says.

There is little stopping hackers from expanding the capabilities of malicious apps. Hackers “know users will actively be shopping and looking for deals in places they normally may not access,” Pironti says.

Android phones, so far, are the biggest target because of Google’s open approach to letting third-party apps run on its operating system. Bit9 recently released a report showing the Top 12 smartphone handset models most vulnerable to being hacked. All 12 were Android models, led by the Samsung Galaxy Mini, HTC Desire and Sony Ericsson Xperia X10.

Apple’s iPhone isn’t immune. Websites such as Jailbreakme.com offer free programs to iPhone owners who wish to circumvent Apple’s tight restrictions on which apps they can load on their phones. Hackers could use similar techniques to slip malicious apps onto Apple products, says Matthew Prince, CEO of website security firm CloudFlare.

“The real concern going forward is that once connected to a corporate network, there is a risk the phones could steal information previously secured behind a firewall,” Prince says.

A bad guy in control of an employee’s smartphone could steal any sensitive messages and attachments stored on the phone. Or he could create and send viral e-mails throughout the corporate network, via messages that appear to come from the phone’s owner.

“A limited number of highly skilled attackers are able to leverage these attacks today,” Pironti says. “Given the sheer number of devices in use, this is likely to become a highly leveraged attack vector by a broad spectrum of adversaries.”

Prince notes that a hacker could also use a smartphone’s Wi-Fi capabilities to spy on sensitive internal communications between employees using the company’s Wi-Fi network. The attacker could then transmit stolen intelligence unnoticed via the smartphone line.

“That information can be transmitted out because the phone has access to the mobile carrier’s network,” says Prince. “Modern firewalls that look for information leakage could effectively be bypassed.”

Read more