-=[ Busted ]=- Six Trillion In Fake Bonds

On the other side of the pond, a record $6 trillion of fake US Treasury bonds were seized by Italian anti-mafia prosecutors.  The bonds were uncovered in hidden compartments in three safety deposit boxes in Zurich.  Bloomberg reports that Italian authorities arrested eight people in connection with the probe, dubbed Operation Vulcanica.

The Italian authorities also uncovered fraudulent checks issued through HSBC Holdings in London, and another $2 billion of fake bonds in Rome.  Those involved in the financial fraud case were apparently planning to buy plutonium from Nigeria, according to police monitored phone conversations.

Good work guys.  I hope they round up all involved, especially those with the plutonium.  You know that stuff isn’t going to be used to power wind up toys.

Fake iPad2s On Store Shelves in BC

CTV reports that as many as 10 fake iPad 2s, made of slabs of modeling clay, were recently sold at retail stores in Vancouver, BC.  Best Buy and Future Shop are investigating.

Scammers apparently bought the iPads with cash, replaced them with bags of modeling clay, resealed the boxes and returned them to stores for refunds.  The devices were apparently stuck back onto the shelves without being checked because they appeared to still be sealed, and then re-sold to other customers.

How these “tablets” were not detected is beyond me.  I can never return merchandise without getting the third degree.  I have had to provide a reason for every return, and “I just changed my mind” never suffices.  Don’t retailers generally test returned products, or at least check that the contents are present?  Those little plastic seals aren’t that difficult to unstick and then reseal.

So what can consumers do to protect themselves?  Always open the box before leaving the store, and check that the contents are what you expected.

Beware The Pink Facebook Scam

Watch out for this scam on Facebook.  You might get invitations from some of your online friends to change your Facebook page from that boring blue color to the more exciting and invigorating pink, black or even red color.  Don’t get sucked in.  Each of the pages linked to in the invitation demands that you share it with others, write a nice comment about it, and complete a survey.  These surveys drive revenue to the scammer, they are paid for each one that someone fills out.

You are very unlikley to get the awesome color change that was advertised, and any friends that follow your recommendations won’t be very impressed when they don’t get it either.  Now, there are number of GreaseMonkey scripts which will work alongside the Firefox web browser to customise the look of Facebook and other sites, according to Graham Cluley.  Look them up if you are so inclined.

People who have fallen for this survey scam should scan their Facebook profiles for “shared” and “liked” content that they don’t want to endorse.

Financial Institutions, Charities, Beware OpRobinHood

Notorious hacking groups Anonymous and TeaMp0isoN are teaming up with other hacktivists to launch coordinated attacks on banks in response to recent crackdowns against “Occupy” protest movement encampments.  The joint operation has been code named OpRobinHood, and will involve using stolen credit cards to make false donations to charities, and other malicious activities that their moms can all be proud of.  These activities are supposed to be going down at the expense of banks, but who do you REALLY think will face increased charges and clawbacks to cover the losses?  Yup.  You, Me and those unnamed Charities.

These anarchists are also encouraging bank account holders to withdraw their funds and deposit them in credit unions instead.  Their intentions are to starve the banks of customers as a physical attack, and parallel that attack with sustained and large scale credit card charging campaigns. 

Of course, this begs a few questions:

  • Just how much more “honest and considerate” do you think a credit union is of the Occupy protesters?
  • What differs the credit union from the banks regarding motivations and intentions?
  • How is one any better than the other?
  • Is security somehow better, worse, or about the same at these gentler credit unions versus the evil empire of banks?
  • When they are finished with the banks, will they then come after the credit unions?  Then the mattress manufacturers?  And finally cookie jar makers?

It’s nice that these hacktivists have 99% of us in their hearts, but why do I get the feeling that this is all just another sham to cover over the fact that what these cowards are actually doing is to take money from the banks just to line their own pockets, and using the charities to either distract, hide, or lauder their ill-gotten gains?  Just sayin’…

-=[BUSTED]=- Fraud Victimizes Two NC Banks

FraudNews reports that three individuals, a disbarred lawyer, a crooked loan officer and another man could possibly get long prison sentences for their role in a mortgage fraud scam involving two well known North Carolina banks.   All three have pleaded guilty on a variety of counts.  The US attorney’s office states that they caused losses amounting to over $ 1 million.

Loans department bank officer Mark David Webb, and Goldsboro real estate lawyer, William Devaughn Orander III worked at both banks between 2004 and 2008 when the fraud took place.  The banks allowed borrowers to make a purchase of properties without having money of their own.   They also allowed them to walk away from the closing table with more than 50% of the purchase price for property in cash.   Prosecutors stated that there were a lot of instances where the money was paid to other members of the conspiracy.  This was either done individually or using the real estate holding companies that the co-conspirators owned.  As for Southern Bank’s losses, it amounts to nearly $284,000 with about $715,000 loaned out.

The third party to this conspiracy, Robert Keith Parker, pled guilty to the charge of making false statements to influence financial institutions connected with the loan.   It was Parker and Webb who falsified income tax returns to be able to qualify Parker’s wife to get a loan from Southern Bank.

Nearly $5 million worth of losses have been reported last year by the New Century Bank in a different fraud case by its founding chair, Raymond Lee Mulkey Jr., where the bank lent their founder millions to operate finance companies that he owned.

Beware “Wrong Hotel Charge” Spam Scam

A very malicious spam campaign has been detected and reported by the good folks at m86 Security Labs.  The attack consists of emails appearing to come from reception desk managers at various hotels, targeting Visa users.  The emails exhibit subject lines such as “Hotel Sutton Place made wrong transaction” and “Wrong transaction from your credit card in Four Seasons Resort Scottsdale” and contain a rather long explanation in very bad English, claiming that the hotel has charged your credit card for over $1,000 by mistake.

To summarize, the email generally says, “Please see the attached form.  You need to fill it in and contact your bank for the return of funds,” and offers an attachment named RefundFormXXX.zip (XXX represents a random three digit number).  The unzipped file is Refund-Form.exe which is outfitted with the icon for an Excel file in order to encourage opening (executing) it.  Once executed, the malware downloads another executable from a Russian domain which is a fake AV application named “Security Protection”.

An HTTP request is sent to, requesting a module called ‘grabbers’ from load.php.  A file called update.dat is retrieved, which is actually an encrypted Windows .dll file.  Once decrypted it acts as a password stealer looking for stored passwords and targeting a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers.

Roughly one day after all of this malicious activity takes place, another HTTP request is sent, retrieving another fake AV called “Personal Shield Pro.

Facebook Fake AV Malware Again

On the topic of social media and Facebook in particular, a very complex and effective fake Anti-Virus campaign is targeting Facebook users.  Like most of the cruft that targets Facebook users, it starts with contact by a Facebook friend using the social network’s chat feature.  “Hi. How are you? It is you on the video? Want to see?” asks the “friend” offering a link to a YouTube page.  Intrigued, the target follows the link, and sees that the video with the target’s name in the title, has apparently been commented on both positively and negatively by a bunch of their Facebook friends.

Of course, the target cannot view the video because they appear to be “missing an Adobe Flash Player update”, according to a message written over the blank space where the video is supposed to be displayed.   The file offered for download is Trojan.FakeAV.LVT.   This little miscreant copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware. It then adds a registry key in %SYSTEM% and the malicious code is either added to the list of authorized applications for the software firewall, or it disables the firewall altogether.  Finally it disables all notifications generated by the firewall, the update module, and whatever antivirus it finds installed on the PC, according to BitDefender.

This malware makes the effort to detect which legitimate AV solution the user has installed, and displays customized warning messages that mimic what the legitimate solution would present.  So clever, and so deviant.  Someone deserves a beating.  Of course it “scans and finds” a virus on the system, and asks the user to reboot so that it can clean up the mess.  Unfortunately, the reboot triggers the system to boot into safe mode, allowing the malware to uninstall the legitimate AV solution, and then the system is rebooted into normal mode.  The system is now completely vulnerable, and a downloader component launches to quietly download additional malware from an array of URLs.

The malware agent contains a list of IPs of other infected systems which will be used for exchanging malware, creating a fully-fledged malware distribution system with peer-to-peer update capabilities.  These IP lists are updated regularly so infected systems are always in contact, and constantly exchanging malicious code.

Once a system is compromised by such a viscious malware agent, it should never be fully trusted again.  If you are the unlucky recipient of this insidious and devastating attack, my recommendation to you is to backup ONLY your most important data to SACRIFICIAL MEDIA, and to nuke the system to bare metal.  Because your AV was compromised and the malware causes reboots and loadpoints to be activated, there is no telling what the additional payloads may have done.  Assume the worst; root-kits, password captures, and keystroke logging.  Reformat your hard drives, including the Master Boot Records (MBR), and the same for any removable media that you have used on that system.  Media that can’t be sanitized should simply be destroyed.  Otherwise you are taking chances that malware will still exist on your computer, and be able to load before your Operating System and any defensive software that you install.  That means, you might as well not install it at all.

Now you know why I’m not real fond of malware or its authors.  Stay thirsty my friends…