Until you lose your identity, you may not realize just how precious it is.

Some 6,000 people were jolted by this shocking reality when they fell victim to one of the largest international identity theft and credit card fraud rings in recent history.

The unraveling of this multi-million dollar scam began in September, 2007 when a package delivered to an employee of a  real estate office was opened by the owner of the office.  Upon finding 60 valid credit cards inside the package, the owner reported the find to law enforcement authorities who – with aroused suspicions – began a nearly two year investigation, involving electronic eavesdropping, physical surveillance and the translation of thousands of conversations and e-mails.

The investigation was revealed when forty-five indictments were handed down last month to individuals alleged to have stolen the credit cards and personal credit information of thousands of hapless victims.  The defendants are accused of shipping stolen or illegally obtained credit cards to buyers around the world.  The fraud, estimated at a staggering $12 million, hit individuals across the United States and Canada.

While announcing the bust, Queens Distrct Attorney Richard A. Brown said, “Our investigation reveals that – in terms of just the sheer number of people indicted – this is one of the largest identity theft networks uncovered in recent history and is just possibly the tip of a much larger global credit card trafficking operation.  Besides draining the bank accounts of individuals throughout North America, we believe that the defendants – some of whom live in California, Illinois, Maryland, Pennsylvania and Toronto – also shipped stolen or fraudulently obtained credit cards to buyers around the world and that purchases were made in such far-off places as Japan, Saudi Arabia and Dubai.”

New York City Police Commissioner Raymond W. Kelly and Brown said the ring was made up of three enterprises working together.  Commissioner Kelly said, “When these suspects said ‘charge it’ they stole more than cash and goods.  They robbed unsuspecting victims of their identities too.  This was a sophisticated crime ring which met its just end through painstaking investigation by NYPD detectives and unstinting support by Queens prosecutors.”

As part of the identity theft ring’s operation, a simple, easy-to-obtain and inexpensive technique called Caller ID Spoofing enabled the suspects to defraud the victims and their banks and credit card companies.  Caller ID Spoofing changes the number appearing on Caller ID and some providers of Caller ID Spoofing also provide services that can alter the caller’s voice to such an extent that a man can sound like a woman and vice-versa.

Legitimate uses of Caller ID Spoofing and SpoofCards purportedly enable professionals such as doctors and attorneys to protect their cell phone numbers.  However, in the hands of the defendants named in the indictments, Caller ID Spoofing allowed the defendants to impersonate legitimate credit card account holders by pretending to be calling the account holders financial institution.  Brown went on to explain, “SpoofCards are virtually untraceable and can be used by identity thieves and hackers to pose as government and financial entities as a means to unscrupulously obtain personal information from unsuspecting consumers.”

To acquire the credit cards three methods were used. Cards were either fraudulently taken over, fraudulently opened or intercepted in the mail.  Once the thieves had the stolen cards, all they had to do was visit the nearest ATM machine.  ID mills produced bogus back-up identification materials, such as driver’s licenses, to enable the suspects to present the cards to bank tellers and withdraw larger amounts of money.

This multi-faceted crime ring appears to have been well organized with individuals assigned to specific roles such as account washers, account preparers and account maintainers.

Account Washers:  Gathered specific information on account holders such as mother’s maiden name, household income and occupation to enable account preparers to take over the account.

Account Preparers:  Caller ID Spoofing allowed the defendants to activate the account by pretending to be calling from the account holder’s phone.  By posing as the account holder, the account preparers could then manipulate the information to their advantage by changing key information including the mailing address, PIN number and/or increasing the credit line on the account.

Account Maintainers:  Paid off accounts to avoid any suspicision of fraud and upped the credit lines.  Once the credit line reached a high point, all monies were withdrawn.

But, that’s not all.  Compromised accounts were then sold to identity theft cell leaders who in turn distributed them to the ring’s foot soldiers and shoppers.  Shoppers bought top-of-the-line electronics and were charged with finding “fences” who would buy the electronics from them.

The indictments charge the defendants with Enterprise Corruption under New York State’s Organized Crime Control Act.  Said District Attorney Brown, “Technological advances have made it increasingly easier to carry out identity theft and fraud, two of the fastest growing crimes in the United States…We will continue to work closely with our law enforcement colleagues to stamp out such fraud and help to maintain our nation’s safety and security.”

From the strange but true department, I tripped across this press release today:

National Right to Work Foundation attorneys have successfully negotiated a settlement with the Communication Workers of America (CWA) Local 1103 union for Patricia Pelletier, a worker who was targeted by CWA operatives for a vicious campaign of retaliation after she attempted to remove the union from her workplace.

Connecticut’s lack of a Right to Work law compelled Pelletier, a Hartford-based employee of the Connecticut Student Loan Foundation, to pay union dues as a condition of employment. Dissatisfied with the union’s presence in her workplace, Pelletier exercised her legal right to circulate a decertification petition to eject the union. Her co-workers ultimately voted to remove the unpopular union, but CWA operatives responded by allegedly forging Pelletier’s signature on numerous magazine subscriptions and consumer product solicitations.

In her lawsuit, Pelletier also alleged that union officials planted cocaine in her office in an effort to have her fired.

Pelletier’s home was then flooded with hundreds of unwanted magazines and advertisements. Not only was Pelletier forced to spend several hours each day canceling individual subscriptions, she was also billed for thousands of dollars by unwitting magazine companies, jeopardizing her credit rating. Even after her lawsuit was filed, Pelletier still received excess mail from a variety of journals and magazines, and her name continued to be circulated through advertiser mailing lists across the country.

The 31-count suit brought by Foundation attorneys for Pelletier against CWA Local 1103 and four union officials alleged that CWA operatives committed identity theft, conspired to forge Pelletier’s signature, inflicted undue emotional distress on Pelletier and her family, and violated Connecticut’s Unfair Trade Practice Act by unlawfully retaliating against Pelletier for attempting to remove the union.

Although Foundation attorneys achieved a settlement that satisfies Pelletier, the terms of the settlement are confidential.

“We’re happy to report that after enduring a trying ordeal, Patricia Pelletier is finally getting a satisfactory resolution,” said Stefan Gleason, vice president of the National Right to Work Foundation. “No worker should be subjected to vicious union retaliation for exercising their rights in the workplace.”

For the full release, click –> here.

Online con artists are always coming up with something new.

Now they’re phishing for private information via fax – while pretending to be the IRS.

The phony e-mail arrives, pretending to be from “Internal Revenue Service,” with a subject line such as “please see the attachment.”

One e-mail still circulating yesterday had two attachments.

One looks like a letter on official IRS stationery, saying: “Our records indicate that you are a non-resident alien.”

The other is a copy of an actual IRS form.

See the full report at philly.com.

What the average guy might call a con is known in the security world as social engineering. Social engineering is the criminal art of scamming a person into doing something or divulging sensitive information. These days, there are thousands of ways for con artists to pull off their tricks. Here we look at some of the most common lines these people are using to fool their victims.

See the full report at NetworkWorld.com.

Using the simplest of social engineering hacks — an enticing message with a link, labeled “don’t click” — a “clickjacking” exploit of the Twitter microblogging service flooded its network today, hijacking users’ status to spread itself before the link could be shut down.

The exploit’s link — http://tinyurl.com/amgzs6 — relied on a URL hidden through use of the TinyURL link-shortening service. The hack was shut down early this afternoon by TinyURL’s founder, Kevin Gilbertson, after Twitter users notified him of the attack.

“On my end, I just got some e-mails mentioning it. So once I found that out, I terminated the URL like I do with other abuse instances,” Gilbertson told InternetNews.com. He added that he replaced the forward of the URL with a notice that the URL had been terminated due to a breach of TinyURL’s terms of service.

See the full report at internetnews.com.

Posing as homeowners or city officials, a team of 15 criminals fraudulently sold 82 unoccupied houses to unsuspecting buyers over the last five years, a grand jury charged Wednesday.The homes were in poor neighborhoods and were sold for as little as $6,000, often to immigrants and non-English speakers, and often for cash, according to the grand jury report. Proceeds from the scheme could be as much as several million dollars, the authorities said.

“Both sides of these cases have suffered immeasurably,” District Attorney Lynne Abraham said in a statement, “the families who paid cash for ‘buying’ what they never owned and spending more money for rehabilitation of the properties, and the rightful homeowners who had to hire attorneys to get their rightful property returned to them.”

The authorities first got wind of the scheme in September 2004 when a homeowner, Fernando DeCastris, contacted the district attorney’s office to report the fraudulent sale of a house that he and his wife had owned since 1989 but had left vacant and boarded up because it was an investment property.

See the full report at the New York Times.

Bryan Rutberg’s Facebook account was taken over by a thief who sent out a message  that read URGENT NEED OF HELP (supposedly from Bryan) and that he needed money.  His friends thought the message was from Bryan and generously wired him money (to London).  The thief also blocked Bryan’s wife’s Facebook account so she could not see activity on Bryan’s Facebook Wall.

See the full story in this video:

[youtube]http://www.youtube.com/watch?v=zlt25QLeoGA[/youtube]

An 18-year-old Wisconsin man is being charged with using Facebook to extort sex from boys by threatening to expose nude pictures of them he obtained by acting as girls on the social-networking site.

Waukesha County prosecutors alleged Anthony Stancl posed as females on Facebook, and solicited nude photos and videos from young boys, some of them he knew were under-aged. Stancl, a high school student just west of Milwaukee, was recently expelled for allegedly making a bomb threat. He’s also accused of forcing six under-aged boys and one aged 18 to have sexual encounters with him, prosecutors said.

He enticed them by threatening to release their nude images to classmates, Waukesha County District Attorney Brad Schimel said. “The extortion was all about sex,” Schimel said in a telephone interview.

See the full report at Wired.com.

The following phishing email purporting to be from the IRS was in my in-box yesterday.  Can you spot the obvious flaws that mark this as a phish?

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund under section 501(c) (3) of the
Internal Revenue Code. Tax refund value is $189.60.

Please submit the tax refund request and allow us 6-9 days in order to IWP the data received.

If u don’t receive your refund within 9 business days from the original IRS mailing date shown, you can start a refund trace online.

If you distribute funds to other organization, your records must show wether they are exempt under section 497 (c) (15). In cases where the recipient org. is not exempt under section 497 (c) (15), you must have evidence the funds will be used for section 497 (c) (15) purposes.

If you distribute fund to individuals, you should keep case histories showing
the recipient’s name and address; the purpose of the award; the maner of
section; and the realtionship of the recipient to any of your officers, directors, trustees, members, or major contributors.

To access the form for your tax refund, please click here

This notification has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.

Sincerely Yours,

John Stewart
Director, Exempt. Organization
Rulings and Agreements Letter
Internal Revenue Service

Phishing fraudsters have moved on from banking sites with an attack designed to hoodwink hotel customers, according to a team of security volunteers.Hotel chains including Hyatt, TraveLodge, Comfort Inn, Ramada, Days Inn, and Wyndham are being targeted in the reported scam. More than 71,000 travelers each month have been redirected to counterfeit sites, volunteer security community FraudTip.com warns. Mainstream net security firms are unable to confirm these figures.

FraudTip.com culled its figures using “audience measurement” technology. It reckons the scam combines “advanced online advertising, bogus hotel locators, third-party reservation systems, and Internet browser crimeware to redirect hotel guest traffic to fake versions of well-known hotel chain websites”.

However net security firms reckon the attack is nothing more or less than a straightforward phishing scam, albeit one directed at hotels rather than banks or ecommerce outlets. Some element of search engine trickery to inflate the rank of counterfeit sites may also be involved.

See the full report at The Register.