UK Daily Mail Online Reports 19 Cyber criminals Arrested

Arrest of Hackers that Netted up to £20m from British Accounts

A multi-million pound internet banking fraud which drained thousands of pounds from the UK accounts of innocent victims was cracked by police yesterday.

A gang of Eastern Europeans made £2 million a month from online accounts by stealing victims log-in details using sophisticated software which can be bought for just £300 over the internet.
They made £6 million in just three months and detectives believe they could have reaped as much as £20 million in the highly organised scam.

The mastermind, who detectives believe is an adept IT expert, was among 19 arrested yesterday in a series of dawn raids across London.
He and his team targeted hundreds of victims who had weak security on their computers and accessed their user names and passwords despite tight security systems put in place by the banks on their internet sites.

Police were alerted by high street banks who were alarmed a sudden surge in fraud.

Investigators from Scotland Yard’s e-Crime Unit discovered that the gang were hitting vulnerable computers using software which is described in the industry as a ‘Trojan horse’ because it infiltrates the computer without the user realising.
The system called ‘Zeus’ or ‘Zbot’ infects victims’ personal computers, waits for them to log onto a list of specifically targeted banks and financial institutions and then steals their personal credentials, forwarding the data to a server controlled by criminals.

It can also manipulate web browsing sessions including creating an additional page requesting the victim to reveal more personal information, such as payment card number, PIN, and passwords.
Users have no idea they are being defrauded because they think they are still on their secure internet banking site.
Unbeknown to the owner, computers infected with Zeus become part of a network where they fall under the remote control of computer criminals.
It is being used increasingly by cyber criminals across the globe.

After the gang had taken over victims’ online bank accounts, they would take out several thousands pounds and place it in a ‘drop’ account before withdrawing the cash.
They recruited dozens of ‘mules’ who would allow them to use their accounts to pay the money into in return for payment.
By using scores of different bank accounts to deposit the money, they hoped to evade being caught.
Detectives have so far pinpointed over 600 British bank accounts which were defrauded but believe hundreds have been targeted.

The ringleader, in his 20s, and his wife, an accomplice in the scam, were arrested in an unremarkable third-floor flat in Chingford, Essex, yesterday morning.
Another couple, also part of the gang, were also arrested at the property.
The ‘nerve centre’ where the ringleader ran his empire from was simply a laptop on a desk in his front room. In front of it lay a notebook where figures of money had been carefully written in pencil.
In all, officers arrested 15 men and four women aged between 23 and 47 on suspicion of the Computer Misuse Act, Proceeds of Crime Act and Fraud Act offences . Inquiries are ongoing to ascertain whether they are in the country illegally.
Among them, two were also arrested on suspicion of possession of a firearm found at one of the properties. They are all in custody for questioning.
Detective Chief Inspector Terry Wilson, who led the investigation said: ‘We’ve worked closely with UK banks through our Virtual Taskforce approach to gather information and evidence which has resulted in today’s arrests.
We believe we have disrupted a highly organised criminal network, which has used sophisticated methods to siphon large amounts of cash from many innocent peoples’ accounts, causing immense personal anxiety and significant financial harm – which of course banks have had to repay at considerable cost to the economy.

‘Online banking customers must make sure their security systems are up to date and be alert to any unusual or additional security features requested which is at variance with their normal log-on experience. Greater public awareness and education will make it harder for personal details to be compromised and for this type of fraud to be carried out.’
Martin Muirhead, chairman of the Virtual Task Force, said: ‘This is an excellent example of how to bring to bear the resources and expertise of multiple agencies and public / private organisations in the UK. This is pioneering work led by the Metropolitan Police Service.”

Read more

Hackers Steal Hundreds of Credit Card Numbers from Restaurant Patrons

September 24, The New New Internet – (California)

Hackers steal hundreds of credit-card numbers from restaurant patrons. Visits to several California-based restaurants turned out much more expensive than customers ever imagined. Police in Roseville, California, the week of September 13 revealed that nearly 200 customers had their credit-card numbers stolen after patronizing the eateries. While the police did not reveal which restaurants were affected due to the ongoing investigation, they said the restaurants themselves are not responsible. “We believe the breach is not actually at the restaurant but a third-party vendor that’s in the process between using your credit card at the restaurant and actually billing the bank,” a police captain told 3KCRA. Because of the complexity of the scheme, Roseville police have asked the Secret Service for help catching the criminals.

In Davis, police are dealing with similar issues. They have seen a 50 percent increase in identity thefts. While police will not say where the cards are being copied, they revealed that crooks use them at Target stores in the Bay Area and as far away as Irvine.

Source: credit-card-numbers-from-restaurant-patrons/ sues vs

Xcentric Ventures, LLC. d/b/a as sues for copyright infringement, trademark infringement, and unfair business practices/unfair competition. They are seeking an injunctive relief.

Well is it wise for to initiate such lawsuit? Is it warranted? The truth is that there is not a clear answer. There are pros and cons that could go either way.

This is our THOUGHTS. as does offer an avenue for injustice.  Such sites for the global community to voice their complaints, unfiltered and uncensored. That’s the beauty and therein lies the danger.  Are these postings false accusations or factual complaints.

Critics of suggest that their consumer advocacy program is a money making business for Ed Magedson its founder and owner. The program charges individuals or companies who would like to have posted reports remove.  They have accised Mr. Magedson of being an “internet terrorist” and other unkind words. These same charges have been level against consumer advocate Les Henderson who runs Crime of Persuasion Blog, Esa Suurio, founder of Web of Trust – and us for its part burst onto the scene within the last two years and have soared in popularity. What we do know is that the operators of are professionals who develop web properties for the purpose of maximizing profit. Consumer advocacy does not appear to be their first priority.

We also know that this group is based in either of these cities or country Seattle, WA, Los Angeles, CA, Canada or India. They are also associated with the Canadian Pharmacy or other Online Pharmacy websites.

These “Professional Consumer Advocay” websites represent a CLEAR and PRESENT danger. They are like WalMart coming to town. They lack the moral compass to advocate on consumer behave.

Legislation Governing Online Drug Sale

Department of Justice – Ryan Haight

Oct 22, 2008
By: George Koroneos, Online Content & News Editor

If you had a drug dealer selling heroin out of your living room, chances are you would do something about it. That’s the predicament many Web hosting and domain registration companies have faced, as the number of illegal online pharmacies has spiked in the past few years.

President Bush, last week, signed into a law a bill that would give companies such as GoDaddy and Lunarpages the ability to remove Web sites of online pharmacies that are not registered as government-approved medication sellers. Under the new rules, if a Web site is making drugs available for sale in the US and they don’t comply with the statute, the hosting companies can shut the site down regardless of where the pharmacy is located.

“We are seeing so many pharmaceuticals—a dramatic increase over the last three years—online,” said Christine Jones, general counsel for GoDaddy, host to 31 million online domains.  “We were looking for a better solution than simply redirecting domain names for SPAM, which is all we could do in the past.”

The legislation came into existence after Rep. Bart Stupak (D-MI) became involved with a case in which ateenager overdosed on Vicodin. The drugs were obtained from an online pharmacy without a prescription. The Senate version of the bill made its way through the office of Sen. Dianne Feinstein (D-CA).

“We’re one step closer to ending the practice of rogue pharmacies on the Internet,” said Feinstein in a release. “We can no longer stand back and allow these outfits to sell highly addictive medications to anyone with a computer mouse and a credit card.”

Jones notes that there is no statutory obligation for an online pharmacy to receive verified Internet pharmacy practice sites (VIPPS) certification. “VIPPS is an extra layer of protection, but there is no requirement that says if you are not certified by VIPPS, you can’t sell drugs online,” she said. “We were looking for something that would make the sale of drugs without registration illegal. Just like child pornography is illegal and taken down immediately on the Web.”

By definition, the largest server providers also host the most illegal pharmacy sites. Last year, GoDaddy redirected 1,300 pharmacy related domain names for SPAM. In effect, if a spammer is sending emails from, and the host receives a SPAM complaint, the domain is taken away. GoDaddy wanted a tool that would easily allow the company to take a Web site offline without having to buy and test the drugs, get a prescription, or make people see a doctor.

“[Under the old rules] we couldn’t take your content away, but you are not allowed to use domain names that are registered to GoDaddy,” Jones said. “We weren’t allowed to take the underlying Web site down, because they weren’t doing anything wrong.”

Even though the registration period isn’t for another six months, GoDaddy has taken a number of URLs that it knew to be violating the prescription rules and have redirected them.

“A lot goes into that law enforcement investigation before a site can come down—we would like to squash that a little earlier,” Jones said. “I always try to encourage people, when they come across a shady site, figure out who the hosting company is and send an email to their abuse department. We rely on those notices to do our investigation.”

Open Congress – Ryan Haight Online Pharmacy Consumer Protection Act of 2008

Official Summary

4/1/2008–Passed Senate amended. Ryan Haight Online Pharmacy Consumer Protection Act of 2008 – Amends the Controlled Substances Act to prohibit the delivery, distribution, or dispensing of controlled substances over the Internet without a valid prescription. Exempts telemedicine practitioners. Defines “valid prescription” as a prescription that is issued for a legitimate purpose by a practitioner who has conducted at least one in-person medical evaluation of the patient. Adds definitions to the Controlled Substances Act relating to online pharmacies and the issuance of prescriptions over the Internet.
Imposes registration and reporting requirements on online pharmacies.
Requires an online pharmacy to:
(1) display on its Internet homepage a statement that it complies with the requirements of this Act;
(2) comply with state laws for the licensure of pharmacies in each state in which it operates or sells controlled substances;
(3) post on its Internet homepage specified information, including the name, address, and telephone number of the pharmacy, the qualifications of its pharmacist-in-charge, and a certification of its registration under this Act; and
(4) notify the Attorney General and applicable state boards of pharmacy at least 30 days prior to offering to sell, deliver, distribute, or dispense controlled substances over the Internet.
Authorizes the Attorney General to issue a special registration under this Act for telemedicine practitioners.
Increases criminal penalties involving controlled substances in Schedules III, IV, and V of the Controlled Substances Act. Authorizes states to apply for injunctions or obtain damages and other civil remedies against online pharmacies that are deemed a threat to state residents.
Requires the U.S. Sentencing Commission, in determining whether to amend or establish new sentencing guidelines to conform the guidelines and policy statements to this Act, to consult with the Department of Justice (DOJ), experts, and other affected parties concerning which penalties for scheduled substances should be reflected.
Requires the Drug Enforcement Administration (DEA) to report to Congress after the enactment of this Act and annually for two years after such initial report on:
(1) the foreign supply chains and sources of controlled substances offered for sale without a valid prescription on the Internet;
(2) DEA efforts and strategy to decrease such foreign supply chains; and
(3) DEA efforts to work with domestic and multinational pharmaceutical companies and others in combating the sale of controlled substances over the Internet without a valid prescription.

JM Test Sues Capital One

Louisiana Firm Sues Capital One

December 7, Washington Post

An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year. In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart. According to JM Test, Capital One has denied any responsibility for the losses. On December 4, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches. The lawsuit is the latest to challenge whether banks are doing enough to help customers prevent losses when a virus infection, phishing attack or hacker break-in jeopardizes a company’s online banking credentials, said a digital media lawyer with the Los Angeles law firm Jeffer Mangels Butler & Marmaro LLP. He said that under the Uniform Commercial Code, banks generally are required to maintain “commercially reasonable” methods of providing security against unauthorized payment orders.” But he said just what constitutes “commercially reasonable” security practices has only recently been challenged, citing a recent court case in Illinois expected to go to trial soon in which a couple is suing their bank over $26,500 lost when cyber thieves stole the user name and password needed to access their home equity line of credit.