cybercrime

fraud-attempt-using-equifax-data-breach-personal-information-and-masquerading-as-santander

Fraud Attempt Using Equifax Data Breach Personal Information and Masquerading as Santander

Fraud Attempt Using Equifax Data Breach Personal Information and Masquerading as Santander 1400 950 Jason Stadtlander

I have never seen such a well-engineered fraud attempt, so I thought that I absolutely must share it with my readers for your own protection. I will also note that it was something that I began to actually fall for, but then started to see red flags. I will note the red flags I saw in red and I’ll note the red flags that I should have seen but did not, in orange. I want to extend my deepest gratitude to Santander and the customer service representative that helped me identify this fraudulent attempt.

I was ending my day at work this afternoon when my cell phone rang with a toll-free number (877) 768-2265. I didn’t immediately recognize the number, so I figured I’d let it go to voicemail and if it’s legit, they’d leave a voicemail. Well, no voicemail. Then I got another call, and another, and another. Seven calls later I finally pick up the phone, “Hello?”

“Hello, this is Daniel Morgan from Santander’s fraud prevention department, is this Mr. Stadtlander?” the man asks.
“It is,” I reply.
“Is your home address ***************, Massachusetts?”
“It is.”
“Do you have a debit card ending in ****?”
“Yes, it’s right here in my pocket.”
“We are showing two charges at a Walmart in Atlanta, Georgia for $280.87. Are you currently in Atlanta sir?”
“No, I’m in Boston.”
“This was registered as an alert in our system and we wanted to reach out to you to resolve this. Do you have a few minutes?” the man says.
“Yes of course,” I reply.
“We would like to close this card and send you out a new one. Let me just confirm that there are no other charges appearing other than these two. One moment.”
He did not bother to verify any transactions with me. This did not occur to me until later.
There is silence as he ‘checks his computer’.
A moment later he comes back, “Yes. It looks like those are the only attempts. We will need to send out you out a new card just to be safe. Can you verify your mailing address as **************?”
“Yes, that’s correct.”
“And the best number to reach you is ***************?” he asked stating my cell phone number.
Yes, that is correct.” I reply.
“And your debit card ends in **** with an expiration of ** of ****?”
“That’s correct.”
“Ok, we will send out a new card via Fed-ex and you should have it by tomorrow. Let me just check with my supervisor that we can waive the $15.00 charge for overnighting it.”

Despite my irritation that someone must have been using my card, my eyebrow raises, why would they charge me to overnight a card if I’m their customer? But, I go along with it. In the meantime, I put him on speaker and google the phone number, which sure enough comes back as Santander’s customer service number. I am aware that it is not hard to spoof (fake) a caller ID number, I’ve demonstrated how to do it myself. But at this point, I’m not on full alert yet.

A moment later he comes back on and says, “Ok, no problem. We can have this to you by tomorrow morning. We want to reset the PIN as we aren’t allowed to use the default pin. What is your current PIN so we can reset it?

WHAT?! Why on EARTH would they need my PIN? I think to myself. Now my ‘bullshit’ antennas are quivering like there’s a thunderstorm coming.

“I’m sorry, I’m not comfortable providing that over the phone,” I reply.
“I can understand your concerns sir, I assure you that this is just to protect your own confidentiality and ensure that we expedite your card back to you as soon as possible.” he begins calmly. “If it helps, I can verify additional personal information.”
“Ok, thank you,” I say. (At this point not believing a word that’s coming out of his mouth.)
“Can I verify that your date of birth is __________ and your social security number is _________?” repeating back to me my true date of birth and my full social security number. My jaw drops open and my mind is reeling.
“Yes, that’s correct,” I begin, “My PIN is _____.” I stated, giving him a fake PIN, then I say “can you hold for just one second, I have an emergency call coming in on the other line from my child’s doctor. One second.”
“Certainly sir, I’ll hold and see if I can get this input while I wait,” he states and I press the mute button.

I get on my work line and dial the same number that called me (which is also on Santander’s website) and after a series of verification prompts a woman picks up. “Hello, this is Beth (name changed to protect her identity) from Santander, how can I help you.”

I take a moment to explain the whole situation to her and I can sense her jaw also dropping open. “What?! We would never ask you for your PIN and we would never give out your social security number.” At this point, the man is asking if I’m still there and I ask her to stay on the line and listen in to the speaker call on my cell phone which she graciously agrees to.
“Hello, I’m sorry – are you still there?” I ask the man.
“Yes. Not a problem Mr. Stadtlander. I entered your PIN into our system and it says that the PIN is incorrect, is there a chance you gave me the wrong PIN?”
“No, it was definitely the correct PIN.”
Then Beth says to me in the other ear, “Ask him for his name and employee ID.”
“I’m sorry, I didn’t catch your name, what is your name and employee ID? I’m just taking notes here and want to make sure I get everything.”
“Certainly sir,” he begins, “My name is Daniel Morgan and my employee ID is 45321409.”

In my other ear, Beth states “Nope. Our employee IDs do not use that format. This is completely made up. Ask him to speak to his supervisor.”

“I’m sorry, Daniel, can I speak to your supervisor?” I ask.
“Certainly sir, one moment.”
There is a pause of about a minute and then another male voice comes on the phone, “Hello, this Roger with Santander. I understand my colleague attempting to help you by getting a replacement card out to you? How can I help?”
“I’m sorry, what was your name?” I ask.
“Roger Smear.”
“Thank you, Roger. I’m sorry can you hold one second, I have an emergency call I am still trying to deal with, just give me two seconds.”
“Absolutely Mr. Stadtlander.”

Beth and I are both in shock at the level of detail on this and she recommends that I let him know that I have Santander Fraud Prevention on the other line and see what he does.

“Hello, Roger are you still there.”
“I am, do you have that PIN so that we can help get your card reset?” he asks.
“Actually, I just have a question. I have Santander’s Fraud Prevention and the local police tied in on the other line and they feel that things aren’t adding up. Do you mind if I patch you in?”
One second later he hangs up.

Now, I thanked Beth graciously and she did some further investigating while I had her on the phone and she was able to determine that there were two attempts to check my account balance using my debit card in Las Vegas a few minutes prior. But it registered as an invalid PIN and did not work. We talked for a bit and she also told me that she had recorded the entire conversation which I was happy for. She then helps me to cancel my card and send out a new one.

I am still floored at the level of detail and social engineering that went into this. As best I can figure, they got my debit card number and expiration (most likely from a card scanner in an ATM – it’s easy to do) and then matched up my relatively unique name to my information in the Equifax Data Breach (to which I am also one of the millions of victims).

Please, I cannot state this enough – be very aware anytime anyone is asking anything from you. Get validation and if there are any doubts, call your bank on the other line and confirm the validity. I would hate to guess how many people fall for this scam.

To Catch a Thief – How CyberCrime is Stopped

To Catch a Thief – How CyberCrime is Stopped 150 150 Jason Stadtlander

It’s a question that I am asked at least once every few months, “How exactly do authorities catch cyber criminals?”

It’s also a question that isn’t so easy to answer. Cybercrime (like many crimes) are dynamic in their attack as well as execution to capturing them. However there are a few standards that are followed when authorities get a search warrant or are investigating a cybercrime.

Stopping CybercrimeSeizure of logs and details online / phone / etc.

One of the first tasks performed is to confiscate all data containing electrical equipment (Desktops, Laptops, Tablets, Phones, iPods, DS, etc.). Equipment seizure is not as simple as shutting everything down, pulling the wires and taking it with them however. They must first capture the memory of the device – that part of the computer that holds everything in a temporary space while it is operating. Once shut down electronics clear the memory and everything that is running is lost forever. Hard data (on the hard drive, USB drives, etc.) is another matter, but if a computer is shutdown that hard data will not be affected. So, the first thing a cyber-crime investigator will do is use a special program in conjunction with a special device to capture that memory for analysis and cataloging at a later date.

Pulling data from Internet service providers (ISP) and social websites

If an ISP is involved, which it almost always is, investigators will collect the unique number that all users are given; IP Address along with as many details as possible that the ISP may contain. Most ISPs are required by law to retain logs of who has what IP address and even some of their browsing activities for an established amount of time. Investigators will also contact social websites such as Twitter, Facebook and Instagram to request logs, photographs and details from the sites concerning the suspect’s activities. This is often a difficult and laborious process as social websites usually prefer to maintain a level of privacy for their users, regardless of their activities. The sites will often push the letter of the law to the edge to protect themselves.

Cataloging and entered into evidence

Computers are then taken back to a lab for analysis and cataloging just as other evidence might be. There are special programs such as Forensic Toolkit (FTK), that investigators use to catalog every byte of data so that it can be used in court showing; when the data was created, who created it, when it was last modified and where it came from. If a hard drive shows evidence of mass deletion or formatting, they may use a program to do a deep disk analysis which can recover deleted data after a perpetrator has formatted the drive.

All of this allows the district attorney to gather evidence against the suspect. Investigators have to be extremely careful as defense attorneys will take any hole in the evidence to sway a juror in their direction. Investigators also want to ensure that the person being suspected of the crime is actually guilty and that the evidence wasn’t just put there maliciously by someone else.

Presentation in court

Cyber investigators will then be called in to appear in court, testifying on the data that they collected, where it was collected and how it connected the dots to lead investigators to believe beyond a shadow of a doubt that the suspects are guilty.

Decompiling the Mind of a Child Predator

Decompiling the Mind of a Child Predator 150 150 Jason Stadtlander

While working at an expo on a cold and rainy spring day, I managed a tech-support booth, offering free computer assessments and clean-ups for visitors at the expo. Mid-morning, a gentleman arrived who was working in another booth and asked one of my colleagues to clean up his laptop. She worked on it for all of twenty minutes, uninstalling malware, removing adware—and then came to an abrupt halt, needing some advice. Since I was her supervisor, she immediately said, “Jason, you’d better look at this.”

I sat down at his laptop and saw what she was concerned about. There were thousands of photos of naked girls. I won’t get into specifics, but by law, as an IT professional, I am required to notify the authorities. This is something that I really didn’t want to deal with. In the end, I’m not sure what actually happened to the man as he was from out of state, and I heard nothing more about it. I gave my report to the police and left it at that. I wasn’t asked to collect anything off his computer as that would involve me as a third party in the case beyond simply discovering evidence.

A rare occurrence you might think? Sadly, these situations happen often.

Child PredatorWhy Molest Children?

According to a May 2013 statistical analysis by the National Center for Missing and Exploited Children (NCMEC), there are 751,538 registered sex offenders. Granted, not all of those are going to be child sex offenders as these statistics also include rapes, lewdness, etc.

These statistics did make me wonder, however—why do so many engage in such sexually-deviant, damaging behavior? Are they miss-wired? Are they lonely and feel that it’s easier to overpower a child than to attain the natural affection of another adult? Or is it something deeper in the psychology that I just wasn’t seeing?

Ron Kokish, a therapist from California, published an article stating that basically most child predators and molesters do not molest children because they are “sick” but rather because they are “evil” and because they allow themselves to be given over completely to self-indulgence with no thought given to the child’s well-being, their parents, society—their own twisted needs and desires become paramount.

He further went on to explain that adult attraction to children is biological—that it is something we are programed with at the core of our genetic makeup—a need and a desire that cannot be denied. And so we as a society develop rigid moral codes and ethics to counteract these animalistic needs and desires.

Frankly, I disagree. I am a father, and not once in my life have I had a desire, animalistic or otherwise, to do anything sexual or harmful to a child. On the contrary, I have always had a strong drive to help children—to protect them so they can live a young life rich in happiness and freedom as all children should have. Sometimes it hurts that I can’t help every child I see who is struggling.

If what Kokish is saying is true, there are far too many adults in society concerned with their own base, selfish needs and desires. I realize that historically, people have always been more interested in their own lives and their own well-being. This is part of “survival of the fittest.”  The reality is, however, that as a global society we are clearly moving away from survival-of-the-fittest mentality (something I happen to disagree with, by the way—but that’s a discussion for another time), and if we are to maintain this direction, then we also need to be selfless and be interested in the betterment of mankind, beginning with our children.

Internet: The Final Frontier for Anonymity (or so we think)

Let’s face it, there have always been people who prey on children, even as far back as the ancient Egyptian and Babylonian civilizations—but is there an increase in these acts of sexual depravity against minors or are we simply more aware of them now that we live in the “Information Age?”

I believe the answer is yes to the increase and yes to greater awareness.

NCMEC’s statistic for Sex Offenders in the United States for 2012 was 747,408 and in that same article it shows that it was up from 606,816 from 2006. Clearly there is an increase and statistics document that. But there is also an increase in our awareness of offenses. The very fact you’re reading this article proves that there is more information being showcased out there in the hands of the general public.

It is important to note, however, that this increase definitely has to do with more readily available resources for offenders. There are chat rooms, bulletin boards and communities that not only have the capability for anonymity, but flaunt it. Keep in mind, however, anonymity is only as good as the person hosting the community. Working in Information Technology I can tell you first hand, I could collect everything from the computer you’re using, to your IP address at your home, to your shopping habits simply by allowing you to browse a site I designed. However, not all online communities are as vigilant about the collection of their users’ data because they themselves wouldn’t want their own data collected.

It is important to note here that when using the internet, people are far more disinhibited than during face-to-face communication. Pair this disinhibiting nature with the anonymity offered in virtual communication and this provides a recipe for disaster. Left unchecked, people who might not otherwise seek out their most depraved or negative behaviors feel less stifled and are tempted to explore avenues of depravity to a greater extent than they might otherwise have been able to in real life. Add to this mix the places that children enjoy connecting (Facebook, Twitter, etc.) and all of the right ingredients come together to pursue those base, animal desires.

Furthermore, most sex offenders are aware that, without a court order, websites such as Facebook and Twitter are prohibited from releasing information about their browsing habits or activities. In essence, this offers a shield of protection—protection to law-abiding citizens, for sure—but also to those who clearly intend to break the law and do harm innocent children.

Back to top