Hackers Go After Points, Credits, and Virtual Currency

In a previous post I discussed virtual currency, which is used to purchase virtual goods within a variety of online communities, including social networking websites, virtual worlds, and online gaming sites. These virtual dollars and virtual goods have real value.

Virtual currency includes the points customers receive from retailers, merchants, airlines, hotels, and credit card companies through loyalty reward programs. These reward points are supposedly the second most traded currency on the planet.

Gizmodo reports that hackers have targeted Microsoft points, the currency used to purchase digital goods and gift cards for the Xbox and Zune. Someone cracked the algorithm Microsoft uses to generate codes for those gift cards, and released that information online. A website was used to generate more than a million Microsoft points worth of free gift cards, as well as other Xbox items, before Microsoft was able to shut it down.

In 2009, Facebook created a virtual currency called Credits, which users spend on games and other Facebook content. Facebook has worked with fraud fighters to test and structure this currency so as to avoid attracting criminals, but as with any virtual currency, criminal activity is inevitable.

Hackers even steal carbon credits. European carbon traders were fooled by a phishing email, which allowed hackers to access the victims’ online accounts and then transfer more than $50 million in carbon credits into their own accounts. Of course, the hackers promptly resold those credits for profit.

Virtual thieves can sell stolen points in online forums or on eBay, or they can try to exchange points for rewards. However, most online retailers, social media, and gaming websites recognize the thieves’ behavior patterns when cashing in stolen points. By analyzing the history of the device being used to access a website, the website’s operator can prevent fraudulent transactions.

iovation’s ReputationManager 360 is getting a lot of attention for preventing chargebacks, virtual asset theft, gold farming, code hacking and account takeovers. The service identifies devices and shares their reputation including alerting businesses to real-time risk. Online businesses use device reputation to prevent fraud and abuse by analyzing the computers, smartphones, and tablets being used to access their websites.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

“Digital Goods” Fraud is Big

The Wall Street Journal reports that digital items within games and social networks accounted for $2.2 billion in sales in 2009, and are expected to account for $6 billion in sales by 2013. Billions more are spent on music and other downloadable digital media.

“Digital goods” are any products that are stored, delivered, and consumed electronically. Within a variety of online communities, including social media and online gaming websites, “virtual currency” is used to purchase virtual goods. Clothing and supplies for Second Life avatars are examples of virtual goods, which sometimes add points and enhance the player’s status within the game.

While it may be “hard to imagine fraudsters’ interest in items like computerized swords for a fantasy game…these goods are often easier to obtain than physical goods and criminals have learned that there are ways to convert them into cash.” Criminals can use stolen credit cards to purchase digital goods, and then sell them at a discount, “the online equivalent of selling stolen Rolexes on the street corner.”

The difficulty for digital goods merchants is the nearly instantaneous delivery. A traditional merchant must physically process and ship an order, which leaves time for more scrutiny. But with virtual goods, there’s little time to investigate the validity of an order.

When a credit card is not physically present, merchants can protect themselves by leveraging device reputation analysis. iovation’s ReputationManager 360 is used by many of the world’s largest gaming sites and digital goods providers. Gaming operators can customize business rules around geolocation, velocity, and negative device histories (including gold farming, code hacking, virtual asset theft, and policy violations) to identify nefarious accounts activity, or fraudulent use of stolen accounts. More than 2,000 fraud-fighting professionals who contribute to iovation’s global database every single day continue to strengthen the system, while maintaining a safe and inviting environment for their players.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Twitter Scam Hooks Thousands

Twitter’s numbers are astounding. In the physical world, when communities become larger and more densely populated, crime rises. The same applies to online communities.

CNET broke down Twitter’s recent blog post, which celebrates their significant numbers: “It took three years, two months, and one day for Twitter to hit 1 billion tweets; now, a billion tweets are posted in the course of a week. An average of 460,000 new accounts were created per day over the past month, and an average of 140 million tweets were posted per day. Twitter now has 400 employees, 50 of whom have been hired since January.”

Spammers, scammers, and thieves are paying attention.

Techland reports, “At least 10,000 Twitter users fell for a scam that spread like wildfire across the social networking site early today. Quick action by link shortening service bit.ly – as well as thousands of people retweeting warnings – brought the scam attack under control in a few hours.”

Common Twitter scams include:

Hijacked Accounts: Numerous Twitter accounts have been hacked, including those of President Obama and, recently, Ashton Kutcher. Kutcher’s account was most likely “Firesheeped,” which can occur when a wireless device is used to access an unsecured site.


Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St. Louis Cardinals coach Tony LaRussa, Kanye West, The Huffington Post, and many others have been impersonated by fake Twitter accounts opened in their names.

Worms: Twitter has been plagued by worms, which spread messages encouraging users to click malicious links. When one user clicks, his account is infected and used to further spread the message. Soon his followers and then their followers are all infected.

Phishing: Hacked Twitter accounts are used to send phishing messages, which instruct users to click links that point to spoofed sites, where users will be prompted to enter login credentials, putting themselves at risk of identity theft.

Social media sites could go a long way in protecting their users by incorporating device reputation management. Rather than accepting information provided by an anonymous user, device reputation allows social sites to leverage knowledge about a device’s history—which could include spam, phishing attempts, predatory behavior, profile misrepresentation and even credit card fraud.  Device reputation alerts businesses to suspicious behavior exhibited while bad actors are on their websites, uncovers the device’s true location, and exposes hidden relationships to other high-risk accounts and devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses social media hacking on Fox Boston. (Disclosures)

Operation Empty Promises Targets Job Scams

The recession may have waned, but we aren’t out of the woods yet. The unemployment rate is still a staggering 9.5%. That’s millions of people without a job. Many who were displaced eventually got lower paying jobs, and are barely able to get by.

Jobseekers’ desperation for employment makes them vulnerable to work-from-home scams and fake job listings.

The Federal Trade Commission recently announced that it has ”stepped up its ongoing campaign against scammers who falsely promise guaranteed jobs and opportunities to ‘be your own boss’ to consumers who are struggling with unemployment and diminished incomes as a consequence of the economic downturn.”

Criminals take advantage of increasing unemployment with fake job listings, designed to trick applicants into disclosing their Social Security numbers. Some scammers who more closely resemble legitimate companies make millions by blanketing classified advertisements across the country, roping people in with false promises.

One company offered to help workers start their own Internet business and earn up to $10,000 a month, ultimately defrauding victims out of $40 million in fees. Another advertised fake sales jobs on CareerBuilder.com and charged applicants for background checks. In another instance, scammers made false claims about the earnings potential of stuffing circulars into envelopes. Another scam advertised an angel pin assembly kit, with which one could supposedly earn up to $500 per week, no experience, special tools, or sewing skills required. The worst scam offered to help consumers recover money lost to other scammers, for a fee of up to $499.

If a job description doesn’t sound like something you would see printed on a business card, or if you are asked to front money, it’s a scam.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses money mules and job scams on Fox News. (Disclosures)

Search Engine Doesn’t Need Kids SSN

When Google launched Doodle-4-Google, in which children can compete to design Google’s homepage logo, they requested contestants’ Social Security numbers in an effort to prevent duplicate entries.

Americans have become accustomed to handing over the last four digits of their Social Security number as a password or identifier for various accounts and applications. But with the development of new technologies that have cracked the code for the distribution of Social Security numbers, the last four digits have become as sensitive and valuable as the first five.

The coder or marketer at Google who believes it’s reasonable to request the last four digits of children’s Social Security numbers is probably someone who readily shares his or her own number, which is not a good idea.

Researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages, and the publicly available Social Security Administration’s Death Master File.

The New York Times reports, “Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number… So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.”

The primary issue here is new account fraud, or financial identity theft in which the victim’s personally identifiable information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Aside from subscribing to an identity theft protection service, it’s difficult to stop or prevent new account fraud. One way that online businesses can mitigate the issue would be to verify the reputation of the computer or smartphone being used to submit credit applications, rather than simply verifying the Social Security number or other identification information provided by credit applicants.

By evaluating a device for criminal history or high risk while its connected to the online site, creditors can automatically detect and reject fraudulent applications.  This worked very well for one Fortune 100 credit issuer.  A Forrester Consulting Total Economic Impact study found that the device reputation service provided by Oregon-based iovation Inc., identified 43,000 fraudulent credit applications and saved the financial institution $8 million USD over two years in reduced fraud losses and operational efficiencies that their fraud prevention process and team gained.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses child predators online on Fox News. Disclosures

Hackerville: The Epicenter of Romanian Hackers

Scammers and hackers often originate from Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, Philippines, Malaysia, and, of course, China and the good old USA. These developing countries breed MIT-like hackers who spend all their days targeting consumers and Internet users like you and me.

But Râmnicu Vâlcea is different. Wired describes the odd contrast between flapping clotheslines and the luxury Mercedes-Benz dealership in this small Romanian town, where young men in expensive jewelry drive luxury cars, all paid for with money from eBay scams, Craigslist scams, advanced fee scams, ATM skimming, phishing, infiltrating databases, new account fraud, and account takeover fraud.

Early scams were obvious but successful. English is a second language to Romanian scammers, so over the past decade, consumers caught on to the broken English and typos typical of phishing emails or classified scams. Romanian scammers responded by hiring English speakers to clean up their communication and give them an appearance of legitimacy.

Over time, U.S. authorities and corporations who were being defrauded caught on to Romania being the hub of organized computer crime, and so began flagging wire transfers, product shipments, and credit card orders. In response, scammers developed a distribution chain involving “mules,” who often ship products or collect money in countries like the United Kingdom, in order to avoid authorities monitoring Romanian IP addresses.

There are sophisticated anti-fraud companies that work around the clock to stay ahead of scammers to make the Internet a safer place to conduct business and interact.  One such company is Oregon-based iovation Inc. They have a highly effective fraud protection service called ReputationManager 360 offering device reputation management to determine if a PC, smartphone, or tablet has been used to commit fraud, regardless of the country of origin. Their device reputation management is the only solution that leverages the shared experience of global brands across numerous industries, with thousands of fraud professionals from major online brands reporting and sharing fraud and abuse attempts each day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Cyber Criminals Target Online Gambling Sites

Do you gamble online? Millions outside the U.S. do and love it. My gaming experience consists of online Solitaire and Tetris, which shows you how adventurous I am. But for those who gamble online, there can be significant risks.

The same cyber criminals targeting banks and retailers working hard to collect and sell stolen personal data, including names, addresses, Social Security numbers, and credit card details, are using those stolen identities to win big in defrauding online gambling sites.

And as more people turn to online poker, bingo, sportsbooks, and betting sites, cyber criminals are developing more sophisticated ways to take advantage of legitimate players and the gambling sites themselves. Financial fraud such as chargebacks and money laundering are major issues for gambling operators, not to mention player collusion and bonus abuse.  Plus, the operators have the responsibility of keeping problem gamblers (self-excluders) from re-entering their sites.

Bonus incentives, as explained in this case study on WagerWorks, are offered to attract new players to games and to increase overall play time, but these incentives also attract the attention of cyber criminals since they can set up multiple accounts under stolen identities, and take advantage of the free money offered for each new account.

Gambling sites, like banks and retailers, are forced to deal with a wide spectrum of Internet crimes and other in-game abuses that cost the industry hundreds of millions of dollars in fraud losses each year.

Many gambling sites have increased efforts to detect suspicious players, but Internet-savvy criminals have learned to mask their true identities, changing account information to circumvent conventional methods of fraud detection.

It is increasingly necessary for online casinos to deploy more effective solutions, which analyzes information beyond that which is supplied by users. By starting the fraud detection process with a device reputation check from companies like Oregon-based iovation Inc., gambling sites can stop problem players within a fraction of a second and avoid further checks and fees when the device is known to be associated with fraud.  According to Chrystian Terry, Director of Casino Operations at WagerWorks, “iovation helped us shut down 20 sophisticated rings. Imagine the lifetime value of bonuses on nearly 300 accounts – that’s tens of thousands of pounds! The service paid for itself on the first day.”

At the recent Caribbean Gaming Show and Conference in Santo Domingo, Max Anhoury, Vice President of Global Sales at iovation, shared in his presentation to attendees that 350,000 fraudulent attempts within gambling sites alone have been reported and shared in their global knowledge base in the last 12 months. And while iovation’s database of half a billion devices typically sees about 2% of devices within most industries associated with negative behavior, within the online gambling industry, that number increases to 5% of devices associated with fraud. That’s approximately 500,000 “known” unique devices trying to defraud gambling sites. Sites armed with device reputation know when they are on their sites and can keep them out.

The online casino industry has an opportunity to work in tandem with merchants, banks, travel sites and even shipping companies to share data that helps pinpoint the devices responsible for fraudulent activity. Shared device reputation intelligence makes this possible for the first time.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Social Security Numbers as National IDs on Fox News. (Disclosures)

23% of Online Fraud is “Friendly”

Friendly fraud occurs when a customer makes an online purchase with a credit card and then, once the merchandise has arrived, calls the credit card company, claims never to have received the item, and requests a chargeback. The merchant has no way of proving the legitimacy of this card-not-present transaction, and is forced to refund the customer’s money.

According to a new study released by LexisNexis Risk Solutions, retailers lost more than $139 billion to fraud last year, with friendly fraud accounting for one fifth of those losses.

The problem for you, the consumer, is that banks and merchants tend not to believe identity theft victims, because friendly fraud complicates the reimbursement process. It’s not uncommon for victims to be required to sign affidavits and have them notarized.

Online merchants need a better system. Device reputation offered by anti-fraud experts iovation, would be one step in the right direction. While a customer is placing an order, device identification technology recognizes and re-recognizes PCs, smartphones, or tablets used to access online businesses across the Internet. Then, device reputation technology determines whether or not device the being used has a history of fraud (including histories of friendly fraud) or if high risk is assessed at transaction time. When a particular transaction is reported as fraudulent, that information goes into a globally shared knowledge base and the fraudster’s device and its related accounts are flagged in order to prevent repeated attempts under new identities. This protects the merchant and honest consumers from billions of dollars in losses to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Should Dating Sites Require Background Checks?

It’s no secret that there are kooky people in the world, and those kooky people seem to gravitate to the Internet. My theory is that those with ulterior motives relish the anonymity of the web, which allows them to lure in their victims more easily. I can see why they’d appreciate that. It’s easier to lie online.

There’s no body language, no intonation in one’s voice, and no emotional connection to the other person. It’s harder for a person’s sixth sense to connect with an avatar.

The Internet provides a great cover for predators.

In Connecticut, State Representative Mae Flexer introduced a bill designed to make online dating safer. “Sexual predators now have a new tool to find victims — Internet dating websites,” she told the General Law Committee.

And in Texas, State Representative Diane Patrick, is proposing that online dating sites be required to disclose to members whether or not background checks are done, which she believes would make online dating safer.

Online dating sites argue that people should use common sense, and point out that not all background checks are entirely accurate. What if the person’s profile is made from stolen information in the first place? The fact is, online dating sites are selling a lot more than an opportunity to connect. They market to the public, inviting them to find love using their website. And they give users an air of legitimacy by default. Posting a profile on a mainstream dating site implies a certain level of credibility.

Background checks would be a good start, and can often provide someone with all they need to make an informed decision. But they may also create a false sense of security and cannot be relied upon completely, especially when people lie about their identity.

Dating sites could incorporate another layer of protection, such as checking the computer used to create the profile in the first place. Device reputation spots online evildoers in a fraction of a second, by examining the computer, smartphone, or tablet used to connect to the dating website or social network. If a device is associated with unwanted behavior, such as spam, online scams, fake profiles, bullying or predatory behavior, the website can reject the new account or transaction. If the computer or smart phone passes the first test of not being associated with unwanted behavior, further identity and background checks would be performed. If the device does not pass, there is no need to pay for further checks.

According to Jon Karl, Vice President of Marketing at iovation Inc., “We stop 150,000 online fraudulent activities every single day. At one of our international dating clients’ websites, one out of five profiles created are found to be fraudulent. We help protect their brand and keep their members safe by identifying the bad actors upfront before they have a chance to come in contact with legitimate members.”

That being said, it would be a good and prudent practice for any online dating site to further vet and screen users. It won’t keep all the bad apples out, but it will significantly reduce those who are currently using the system for no good.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Safe Personal Dating on Tyra. (Disclosures)

Craigslist Scammers Use Emotional Lures

At the moment, I have no less than six different tabs open in my browser, each searching Craigslist for different items I need this spring: trailers, boats, patio furniture, musical instruments, and exercise equipment. Every day I refresh my search results, looking for the best deal. I’m confident that I’ll find what I’m looking for. Patience is the key.

Millions are doing the same thing. And unfortunately, many of them are being scammed out of their money as sellers provide explanations as to why an item is being sold, ranging from “not needed” to “my son died.”

A North Carolina woman and her mother were looking for a used car on Craigslist and found an “amazing, like, this can’t be true, deal.” The daughter contacted the seller, who replied with, “Automatic transmission. It’s in perfect condition. Exterior no scratches. Interior no rips, tears, stains.” The seller asked for $3,900, and added that the car had belonged to her son, who had died in a bike accident, and she wanted to sell the car quickly because it brought back difficult memories.

Meanwhile, the mother found a similar deal on a different car, and the seller had a nearly identical story. This raised red flags and both mother and daughter cut off communications with the scammers. They were lucky.

This type of scam works because people can relate to the awful story and are more inclined to help when someone seems to be in distress.

Craigslist could prevent the majority of these scams easily by leveraging device reputation management. Many Craigslist scammers are based in Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, Philippines and Malaysia. These countries breed scammers who spend their days targeting consumers in the developed world. But real-time device reputation checks such as those offered by iovation can detect computers that have been used for auction fraud (and expose all of the accounts the device or group of devices is associated with) providing the ability to shut down sophisticated fraud rings and thousands of accounts immediately

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Fox News. Disclosures