Study Guide

It's the online version of the school for scoundrels: a school for fraudsters.

Just as stolen card numbers are abundantly available online for those who know where to look, so are instructions on how to steal them, Brian Krebs reported Oct. 17 at krebsonsecurity.com.

But for those not willing to "scour the net for these far-flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or via intensive, one-on-one online apprenticeships," Krebs wrote.

One program, Cash Paradise University, charges $50 for an introductory course and has higher-priced courses for specialized skills.

Beginners can learn skills "such as hiding one's identity and location online, and how to obtain reliable stolen credit card numbers."

After a three-hour course — and a $75 payment — students can "become fluent in the ways of 'Skype carding,' or selling hacked and newly created Skype accounts that have been loaded with funds from stolen credit cards," Krebs wrote.

"Learning the basics of 'carding' merchandise — such as intercepting the shipments and selling the loot online — requires an investment of four to six hours and at least $250, with course materials adding as much as $150 to the cost of the class," he wrote.

Cash Paradise University claims that more than a dozen students have taken the course and praised their instructor.

The fraud school does not give its students the chance to practice their new skills with their tuition payments: rather than accept payments on cards that have likely been stolen, Cash Paradise University accepts only irreversible forms of payment, such as wires and virtual currencies.

Fighting Back

Microsoft Corp. said it has cleansed more than a quarter of a million PCs of the prolific Zeus malware.

Zeus is used to steal online bank account credentials in the first step of a scam that usually involves the hiring of "money mules" to wire stolen funds to a crime ring's masterminds, Computerworld reported Oct. 18.

Microsoft added a Zeus detector to its Malicious Software Removal Tool last week. The tool is designed to remove specific infections from Windows users' computers. Since the tool's update, it has removed 281,491 copies of Zeus from 274,873 computers — just over 20% of all cleansings in the past week, Microsoft said.

The figure is "higher than we typically see even when accounting for the normal, first-month spike" when a new bug is added to the removal tool, Jeff Williams, the director of Microsoft's Malware Protection Center, wrote on the company's blog.

Zeus has been in the news most recently for its use by a group alleged to have used it in stealing $200 million over the course of four years.

Fraudster Fave

The latest numbers are in: Oracle Corp.'s Java is a favorite for fraudster attacks, Microsoft said.

Data from the Malware Protection Center indicates that there has been an "unprecedented wave" of attacks exploiting vulnerabilities in Java, Ars Technica reported Oct. 18. Two vulnerabilities Microsoft highlighted have "gone from hundreds of thousands [of attacks] per quarter to millions," the article said.

These flaws have patches available for computer users to protect themselves, though the article said Oracle's Java updater "isn't exactly the best at deploying the required patches."

Hackers have been looking for weaknesses in users' Web browsers rather than targeting their operating systems. Adobe Systems Inc.'s Reader software has also been a big bull's-eye for attackers, though Adobe launched a major initiative last year to improve its security, including a collaboration with Microsoft.

Java is "arguably just as ubiquitous" as Adobe Reader but not as visible to end users, so "users aren't inclined to update it," Ars Technica said.

ID Theft Charges

An alleged identity theft ring that focused on Medicare fraud was busted last week.

The ring is accused of using the stolen identities of doctors and patients to set up at least 118 make-believe medical clinics, then submit claims to steal $35 million, the New York Post reported Oct. 14. The suspects are accused of laundering their funds by using them to buy casino chips in Las Vegas.

Charges were filed in New York, California, Georgia, New Mexico and Ohio.

The suspects are alleged Armenian gangsters, including Armen Kazarian, said to hold a title, "vor," equivalent to that of a Mafia godfather. Kazarian is the first person charged in the United States believed to hold that title, the Post said.

Punched Out

A man who pleaded guilty to the theft of an automated teller machine described just how much damage the theft caused.

To get at the machine, Shaun Michael Baker said he and three accomplices tore the siding off the back wall of a tavern called Butch's Sports Bar, then punched through the wall itself. Baker described his actions at Lenawee County Circuit Court in Michigan last week, The Daily Telegram of Adrian, Mich., reported Oct. 15.

The ATM was then removed from the building and the tavern's safe was also raided, the article said. The accused knew where the ATM was positioned, it said, because one of Baker's alleged accomplices once supplied floor mats to the targeted building.

Exposure

The Social Security numbers of almost 107,000 University of North Florida students are believed to have been exposed to hackers.

The university said Friday that a hacker was able to access the data from Sept. 24 to Sept. 29, the Associated Press reported Oct. 17. The exposed data also includes students' names and birth dates.

The university and the Federal Bureau of Investigation are both looking into the breach, which was discovered during a routine check of the server on which the data was stored.

Investigators believe the data was accessed by a hacker from overseas, the AP said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.