Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Valid scenario when criminal break into an account?


  • Please log in to reply
6 replies to this topic

#1 GoshenBleeping

GoshenBleeping

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 PM

Posted 23 April 2012 - 07:44 AM

I am interested in how valid is the following scenario.

- You have an account on a shopping site (e.g.: Amazon), and that account is populated with your personal info (name, address, phone number) & a credit card
- Criminals gain access to your account
- They order stuff in your name but have it shipped to their address & not your address. The shipping address would be in a different state than your home address.
- You get charged

Questions:
(1) Is this scenario really valid & does it happen?
(2) Since the items were shipped to the criminal's address & that address is now on record at the shopping site, would not law enforcement have an easy time arresting the criminals?
(3) Or since the shipping address is in a different state than your home address, law enforcement in two states would be involved, and this makes arrests more difficult and problematic?
(4) Is there a different scenario that is more common?

Please comment - thanks.

BC AdBot (Login to Remove)

 


#2 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 23 April 2012 - 08:32 AM

1) That scenario happens every day
2) Maybe. Alot depends on the agency thats involved. Between department size, budget restraints, expertise, and case load, the results will vary. You might have better luck if the department is smaller and the Officer assigned is interested.
3) This could go a number of ways. For the most part, the crime is investigated in the jurisdiction where it accured.
4) that I'm not sure of. All it takes is one business employee to pass your credit card info on to someone else.

Last December I was travelling and went to use my credit card to make a purchase. The card wasn't accepted. Thinking it was just a glitch I tried the card later. Same issue. Called the card company and found the visa # had been compromised. I still had the card in my wallet. In one day the card # was used in $900 worth of unauthorized charges. The charges were all in a town in California. Credi Card company noticed the charges and blocked the #. I never had a monitary loss but it's a real pain dealing with the aftermath.
I have never heard anything about the investigation.

“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#3 frankp316

frankp316

  • Members
  • 2,677 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 23 April 2012 - 10:58 AM

The more likely scenario is a spoof site. Most legit sites like Amazon have a secure checkout that could be hard for the average criminal to break into. It's easier for them to create a spoof site and send massive emails that will fool some people. The most common spoof sites are banks and Paypal. If you bite, there goes your info and they can use it anywhere. Most banks and Paypal will not contact the customer directly by email for any reason. This is why this method is called "Phishing" because these criminals are fishing for your info. You need to be very careful perusing your email. We all get these. I received two spoof emails yesterday from banks that I don't even use.

#4 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 23 April 2012 - 11:24 AM

I don't disagree, but I never open those links/emails and get them all the time. My last puchase on the card was from a Amazon seller...

“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#5 frankp316

frankp316

  • Members
  • 2,677 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 23 April 2012 - 05:52 PM

You can't assume that. Have you contacted Amazon customer service?

#6 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 23 April 2012 - 07:46 PM

I'm not saying the breach was Amazon, just that was the last purchase. The card violation could have been anywhere and prior to that order. What I'm saying is it didn't have to be a phishing link/email...it could have been anywhere the card was used.

“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 25 April 2012 - 05:09 AM

(2) Since the items were shipped to the criminal's address & that address is now on record at the shopping site, would not law enforcement have an easy time arresting the criminals?

Most of the time, the items (or money in other scenarios) are not delivered to the criminal's address, but to a so-called "mule" he recruited.

Simply put:
The mule (this is a person) is a go-between that is recruited, often under false pretenses, like a "work-at-home-and-get-rich" scheme.
The mule receives the items, sells them, and transfers the money to the criminal in a way that is difficult to trace. The mule gets to keep a percentage of the money.
If law enforcement arrests the mule, the criminal recruits a new mule.

More info about mules in this article:
https://www.securityweek.com/inside-mule-network

Edited by Didier Stevens, 25 April 2012 - 05:10 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users