I got a spam this morning which is essentially looking for people to help repackage and ship out stolen goods. They have of course dressed it up in an attempt to appear legitimate, but anyone with any sense can tell this is a scam. I thought briefly about pretending to accept long enough to get some info on the perps and then turn the info over to the authorities, but I highly doubt anyone will actually care. I’m still surprised by their brazenness.

Hello, my name is Lawrence Siegell. [note: email sent from Evan Franklin]
I’ve just viewed your resume and would like to offer you a part-time job based on work at home.
Our company name is Manpower East Gmbh. Job title is Stuff Manager.

We’re a small courier company based in Europe.
We help our clients to order some goods or things at low prices and safety ship packages to the client side.
Our experience shows it’s easier to order something using our service.
We’re looking for a good support representative to process our packages in the USA.

The stuff (like clothes, musical instruments) will be shipped from the online stores, auctions or some of warehouses via regular or express delivery services like USPS, UPS and etc. You will have to handle these packages and resend it to us or our couriers.
Your salary will be $20 USD for each handled package but you will get $50 USD for each package, marked as important. Of course, you will have some bonuses if you work hard and complete your tasks in time.
You will receive 5-20 parcels weekly, trial period (first 4 weeks) includes processing of 2-5 packages.
Maximum packages weight is 20lbs, max size lenght+width+height < 80 inch, usially 5-12lbs, 8*14*18 inch. For heavy parcels you will be paid with additional (bonus) salary.
We pay monthly or per 20 sent packages. If you have PayPal account, you will be paid via PayPal instant transfer, if don’t have then via Western Union or Moneygram.

All shipping charges will be paid by our company.
No investments required, we will cover all your expenses including shipping charges.
If you’re interested in our offer give me your contact phone # and the best time to reach you at. Or contact me via email.
I also want to inform you that sometimes the international calls from Germany have no caller ID that’s why I ask you to answer the unknown phone calls.

Best regards,
Lawrence

update: Since a lot of people seem to be finding this page, I figured I would add a link to this article from workathomescams.com which describes how the scam works, and mentions that if you participate, you may find yourself to be an accessory to a crime.

Speaking of passwords….

In the last few weeks there have been a few stories about criminals using stolen credentials to steal large amounts of money from unsuspecting victims. The Zeus botnet stole about a million dollars from UK banks. Criminals stole a million dollars from UVA, and the Diocese of Des Moines had 600K stolen. All of these followed a similar pattern – criminals used stolen credentials to move money to other bank accounts. I’m reminded of the 2010 Verizon Data Breach Investigations Report (if you haven’t read it, please do). One of the recommendations was to limit the amount of damage that can be caused by compromised credentials. If these banks had been following that advice, their customers might not now be out millions of dollars. If they had implemented any sort of program to look for fraud indicators, they likely would have avoided this whole mess. I know of many banks that have such a program in place, and let’s just say that I haven’t seen any of them show up in the news lately.

There are a lot of reasons to hate passwords as an authentication mechanism – the fact that users hate them, easy to guess/brute force, overhead involved in maintaining the system when credentials, are forgotten/lost, overhead due to locked out users, over reliance on a single factor of authentication, etc, etc. All of it comes down though to one central theme: using passwords put the responsibility for security on the users and not the security folk, and this is a huge mistake. Users are not trained security professionals, and they can’t be expected to be. It is simply unreasonable to expect users to create unique strong passwords for everything they access, remember them, not write them down, and never forget them. They have other things to do, and security is just not one of them. I don’t want my employees to be the primary line of defense for IT systems I’m responsible – I want qualified security personnel. If you use passwords for authentication, then that’s essentially what you’re doing. This is the root cause of all the other problems with passwords.