I got a spam this morning which is essentially looking for people to help repackage and ship out stolen goods. They have of course dressed it up in an attempt to appear legitimate, but anyone with any sense can tell this is a scam. I thought briefly about pretending to accept long enough to get some info on the perps and then turn the info over to the authorities, but I highly doubt anyone will actually care. I’m still surprised by their brazenness.

Hello, my name is Lawrence Siegell. [note: email sent from Evan Franklin]
I’ve just viewed your resume and would like to offer you a part-time job based on work at home.
Our company name is Manpower East Gmbh. Job title is Stuff Manager.

We’re a small courier company based in Europe.
We help our clients to order some goods or things at low prices and safety ship packages to the client side.
Our experience shows it’s easier to order something using our service.
We’re looking for a good support representative to process our packages in the USA.

The stuff (like clothes, musical instruments) will be shipped from the online stores, auctions or some of warehouses via regular or express delivery services like USPS, UPS and etc. You will have to handle these packages and resend it to us or our couriers.
Your salary will be $20 USD for each handled package but you will get $50 USD for each package, marked as important. Of course, you will have some bonuses if you work hard and complete your tasks in time.
You will receive 5-20 parcels weekly, trial period (first 4 weeks) includes processing of 2-5 packages.
Maximum packages weight is 20lbs, max size lenght+width+height < 80 inch, usially 5-12lbs, 8*14*18 inch. For heavy parcels you will be paid with additional (bonus) salary.
We pay monthly or per 20 sent packages. If you have PayPal account, you will be paid via PayPal instant transfer, if don’t have then via Western Union or Moneygram.

All shipping charges will be paid by our company.
No investments required, we will cover all your expenses including shipping charges.
If you’re interested in our offer give me your contact phone # and the best time to reach you at. Or contact me via email.
I also want to inform you that sometimes the international calls from Germany have no caller ID that’s why I ask you to answer the unknown phone calls.

Best regards,
Lawrence

update: Since a lot of people seem to be finding this page, I figured I would add a link to this article from workathomescams.com which describes how the scam works, and mentions that if you participate, you may find yourself to be an accessory to a crime.

Speaking of passwords….

In the last few weeks there have been a few stories about criminals using stolen credentials to steal large amounts of money from unsuspecting victims. The Zeus botnet stole about a million dollars from UK banks. Criminals stole a million dollars from UVA, and the Diocese of Des Moines had 600K stolen. All of these followed a similar pattern – criminals used stolen credentials to move money to other bank accounts. I’m reminded of the 2010 Verizon Data Breach Investigations Report (if you haven’t read it, please do). One of the recommendations was to limit the amount of damage that can be caused by compromised credentials. If these banks had been following that advice, their customers might not now be out millions of dollars. If they had implemented any sort of program to look for fraud indicators, they likely would have avoided this whole mess. I know of many banks that have such a program in place, and let’s just say that I haven’t seen any of them show up in the news lately.

I looked over the FBI’s Internet Crime Complaint Center’s annual report covering 2009. There wasn’t a whole lot that was interesting (electronic crime is on the rise), but one thing caught my eye. One page 6 there is a chart showing the number of cases divided up by the monetary loss associated with it. Only 7.5% of the cases involved damages of more than $10,000 and only 1% involved damages of over $100,000. Gone I suppose are the days of the million dollar heists, replaced instead by the facilitation of many smaller crimes. The scammers are only making money because they steal in bulk.

Bank of America recently discovered that one of its employees had planted malware on some ATMs and had stolen a little over $300,000. Two very obvious countermeasures come to mind – use embedded devices instead of COTS, and whitelisting. There is really no reason that arbitrary code should be run on an ATM, and therefore there’s no reason to allow it.

According to Symantec, Cybercrime is now the number 1 crime in terms of profit, having recently passed Illegal drug trafficking.

The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

The DoJ wants private corporations to more openly disclose cybercrime when it occurs. This is one of the major differences between the way government works and the way private industry works. (I’ve got information security in both, and it’s something I’d noticed a long time ago). In government, there is a strict procedure and a chain of reporting for everything, and one of the main focuses is openness. Individuals in government are rarely accountable as long as they follow the correct procedures. (In other words, the “I was just following orders” argument has worked countless times inside the beltway). In the private sector, the main focus is profit, and people are held accountable for what occurs, even if they feel they did nothing wrong. Reputation loss is a serious concern, and corporations are loath to report information breaches. This is one of the reasons data breach laws have been necessary – without them private entities would rarely disclose when something bad happened. Now the DoJ and FBI want corporations to disclose even more so that it can allocate it’s crime fighting abilities correctly. While this is clearly a laudable goal (and crime fighting is one of the major responsibilities of a modern government), private entities will not comply unless they are either required to by law (like the breach notification laws), or have a compelling financial interest (as in the case where they believe the authorities can help recover lost assets).

Why am I only finding out about this now (also reported by wired)?

Oleksandr Dorozhko hacked a system containing information on IMS health that would negatively affect their stock price. (Or, possibly, someone else hacked the system and gave him the information). He invested in puts and netted himself about $300,000 in one day. The SEC noticed and tried to block it, but the court has ruled that a hacker is not an insider, and therefore insider trading does not apply. Mr. Dorozhko gets to keep every cent of his admittedly ill-gotten gains.