Security Watch

".RU" a Scammer?

Russian domains have gained a reputation for popularity with fraudsters, and Russia is trying to fight back.

The company that operates Russia's domain-name registry is planning to make it more difficult to anonymously register an .ru domain, according to an article published Friday in Computerworld.

Though no identity verification system is currently in place when people or businesses set up an .ru domain, next month people will have to provide a copy of their passport, and businesses will have to provide legal registration papers to The Coordination Center for the TLD .RU, the article said.

This will not eliminate scam sites, but it may drive them elsewhere, observers said.

Robert Birkner, the chief strategy officer at the German domain name service company Hexonet GmbH, predicted in the article that scammers turned away by Russia are likely to register their sites using Vietnam's .vn or Indonesia's .id domains, which he said have been rising in popularity among fraudsters.

Hack Street Boys

Albert Gonzalez, the confessed mastermind of the data breaches at TJX Cos. Inc. and Heartland Payment Systems Inc., may have supplemented his income with his work for the U.S. Secret Service.

While running a major card fraud ring, he was also paid for his work as a government informant, according to Stephen Watt, an accomplice of Gonzalez who was convicted last year.

The Secret Service allegedly paid Gonzalez $75,000 a year in cash to inform on other card scammers, Watt told Wired.com's "Threat Level" blog.

That is far more than other known informants have been paid, Wired.com reported in a Monday blog post. Wired.com cited several instances in which the Secret Service paid $18,000 or less — including one in which it paid no cash but covered rent and other expenses.

Mark Rasch, a former federal prosecutor, told Wired.com that Gonzalez's pay shows that before his 2008 arrest he was considered an effective informant. "It's not an outrageous amount to pay if the guy was working full-time and delivering good results," Rasch said. "It's probably the only thing he was doing — other than hacking in to TJX and making millions of dollars."

Rasch said that the government has been known to pay far more to informants in higher-risk situations, such as investigations of organized crime.

The Secret Service would not comment to Wired.com on payments it has made to informants.


Though Gonzalez's rap sheet seems to include every major breach in recent years, Russian authorities have found someone else to blame for the 2008 intrusion on Royal Bank of Scotland Group PLC's processor, RBS Worldpay Inc.

The Russian Federal Security Service has arrested Viktor Pleshchuk, a St. Petersburg resident, in connection with the RBS Worldpay hack, Wired.com wrote in its "Threat Level" blog Monday, citing several reports.

Pleshchuk and others were indicted in the United States last November for their suspected roles in the breach. Pleshchuk is accused of exploiting a vulnerability discovered by an accomplice to gain access to the RBS Worldpay system and then reverse engineering encrypted PIN codes — a skill Wired.com described as "the holy grail of bank card hacking."

Though Pleshchuk has been apprehended, his fate is unclear since the United States lacks an extradition treaty with Russia and prominent suspects there have been known to pull strings to escape jail time.

E.J. Hilbert, a former FBI special agent, told Wired.com that he is "extremely skeptical" that Pleshchuk will face serious punishment. Though "the cooperation between the FBI and FSB related to this arrest is monumental," he said, even a guilty suspect "making this amount of money will be well-connected and thus protected."

Trial and Error

A Bronx woman is suspected of drawing inspiration from a credit card theft trial at which she was a juror.

Jennifer Mercado, 20, was accused by a fellow juror of having stolen his credit cards and gone on a shopping spree during the jurors' lunch breaks over several days, the New York Daily News reported last week. Mercado told the paper that she used the cards, which belonged to juror John Postrk, with his permission.

"He came on to me," she told the paper. "It's a he-said, she-said situation."

Postrk disagrees. He told the judge in the case that he only began to suspect Mercado when he saw her shopping bags and realized they were from the same stores where his card had been used for fraudulent purchases.

Mercado has since been removed from the jury and arrested on charges of grand larceny, possession of stolen property, identity theft and unlawful use of the credit card.

Both jurors were seated in the trial of Warren Stewart, who faced charges of burglary, grand larceny and possessing a stolen credit card, the article said. After Mercado was removed, the remaining jurors found Stewart guilty of burglary but acquitted him of the credit card charge.

Love Hurts

Some scammers leave broken hearts in their wake as well as depleted bank accounts.

Msnbc.com's Bob Sullivan compiled a list of the top five scams he has heard about from readers of his consumer advocacy column, "The Red Tape Chronicles." At the top of the list, which he published Sunday, are dating scams.

"Love-based scams are the easiest to perpetrate," Sullivan wrote, because dating is inherently about extending trust to someone you barely know. Fueled by stolen credit cards, male scammers fund lavish courtships, sending flowers and candy to women who find them through online personal ads. Eventually, the scammers request a large wire transfer to help fund an in-person meeting.

The No. 2 scam is fake antivirus software, which infects a victim's computer and renders it nearly unusable until the target supplies a credit card number to buy software that purportedly will "cure" the infection.

Compromised Facebook accounts, botnets and fake blogs are also popular techniques for scammers seeking to steal bank account details from online consumers.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER