Tag Archives: Financial Fraud Prevention

Former Amazon engineer convicted in 2019 Capital One data breach

Posted on by

A Seattle jury has found Paige Thompson, a former Amazon software engineer accused of stealing data from Capital One in 2019, guilty of wire fraud and five counts of unauthorized access to a protected computer. The Capital One hack was one of the biggest security breaches in the US and compromised the data of 100 million people in the country, along with 6 million people in Canada. Thompson was arrested in July that year after a GitHub user saw her post on the website sharing information about stealing data from servers storing Capital One information. 

According to the Department of Justice, Thompson used a tool she built herself to scan Amazon Web Services for misconfigured accounts. She then allegedly used those accounts to infiltrate Capital One's servers and download over 100 million people's data. The jury has decided that Thompson violated the Computer Fraud and Abuse Act by doing so, but her lawyers argued that she used the same tools and method also used by ethical hackers.

The Justice Department recently amended the Computer Fraud and Abuse Act to protect ethical or white hat hackers. As long as researchers are investigating or fixing vulnerabilities in "good faith" and aren't using the security holes they discover for extortion or other malicious purposes, they can no longer be charged under the law.

US authorities, however, disagreed with the assertion that she was only trying to expose Capital One's vulnerabilities. The Justice Department said she planted cryptocurrency mining software onto the bank's servers and sent the earnings straight to her digital wallet. She also allegedly bragged about the hack on online forums. 

"Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself," US Attorney Nick Brown said. Thompson could be sentenced with up to 20 years of prison time for wire fraud and up to five years for each charge of illegally accessing a protected computer. Her sentencing hearing is scheduled for September 15th.

Former Amazon engineer convicted in 2019 Capital One data breach

Posted on by

A Seattle jury has found Paige Thompson, a former Amazon software engineer accused of stealing data from Capital One in 2019, guilty of wire fraud and five counts of unauthorized access to a protected computer. The Capital One hack was one of the biggest security breaches in the US and compromised the data of 100 million people in the country, along with 6 million people in Canada. Thompson was arrested in July that year after a GitHub user saw her post on the website sharing information about stealing data from servers storing Capital One information. 

According to the Department of Justice, Thompson used a tool she built herself to scan Amazon Web Services for misconfigured accounts. She then allegedly used those accounts to infiltrate Capital One's servers and download over 100 million people's data. The jury has decided that Thompson violated the Computer Fraud and Abuse Act by doing so, but her lawyers argued that she used the same tools and method also used by ethical hackers.

The Justice Department recently amended the Computer Fraud and Abuse Act to protect ethical or white hat hackers. As long as researchers are investigating or fixing vulnerabilities in "good faith" and aren't using the security holes they discover for extortion or other malicious purposes, they can no longer be charged under the law.

US authorities, however, disagreed with the assertion that she was only trying to expose Capital One's vulnerabilities. The Justice Department said she planted cryptocurrency mining software onto the bank's servers and sent the earnings straight to her digital wallet. She also allegedly bragged about the hack on online forums. 

"Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself," US Attorney Nick Brown said. Thompson could be sentenced with up to 20 years of prison time for wire fraud and up to five years for each charge of illegally accessing a protected computer. Her sentencing hearing is scheduled for September 15th.

FBI warns crypto fraud on LinkedIn is a ‘significant threat’

Posted on by

If you have a tendency to talk to people you don't know on LinkedIn, you may want to take extra care. According to a CNBC report, the company has acknowledged a "recent uptick of fraud on its platform," and this time the scams involve persuading users to make investments in cryptocurrency. It's been deemed as a "significant threat" by Sean Ragan, the FBI's special agent in charge of the San Francisco and Sacramento field offices in California, who spoke to the outlet.

CNBC said the schemes typically began with someone pretending to be a professional and reaching out to LinkedIn users. They would engage in small talk, offering to help users make money through crypto investments. First, they would tell their targets to go to an actual crypto investment platform, but "after gaining their trust over several months, tells them to move the investment to a site controlled by the fraudster." Thereafter, the money is "drained from the account."

According to victims interviewed by CNBC, the fact that they trusted LinkedIn as a platform for networking lent credibility to the investment offers. 

Ragan told CNBC that "the FBI has seen an increase in this particular investment fraud," which the outlet said "is different from a long-running scam in which the criminal pretends to show a romantic interest in the subject to persuade them to part with their money."

A screenshot of the scam reporting page on LinkedIn's website.
Linkedin

In a statement published yesterday, LinkedIn encouraged users to report suspicious profiles. The company's director of trust, privacy and equity Oscar Rodriguez told CNBC that "trying to identify what is fake and what is not fake is incredibly difficult."

LinkedIn's article urges users to "only connect with people you know and trust" and to "be wary of... people asking you for money who you don't know in person." The company added "This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings."

It also lists "job postings that sound too good to be true or that ask you to pay anything upfront" and "romantic messages or gestures, which are not appropriate on our platform" as signs of potential fraud attempts.

The company isn't fully relying on its users reporting suspicious accounts as its only defense against scammers on its platform. "While our defenses catch the vast majority of abusive activity, our members can also help keep LinkedIn safe, trusted, and professional," Rodriguez wrote in the statement. LinkedIn also reported that "96% of detected fake accounts and 99.1% of spam and scams are caught and removed by our automated defenses."

FBI warns crypto fraud on LinkedIn is a ‘significant threat’

Posted on by

If you have a tendency to talk to people you don't know on LinkedIn, you may want to take extra care. According to a CNBC report, the company has acknowledged a "recent uptick of fraud on its platform," and this time the scams involve persuading users to make investments in cryptocurrency. It's been deemed as a "significant threat" by Sean Ragan, the FBI's special agent in charge of the San Francisco and Sacramento field offices in California, who spoke to the outlet.

CNBC said the schemes typically began with someone pretending to be a professional and reaching out to LinkedIn users. They would engage in small talk, offering to help users make money through crypto investments. First, they would tell their targets to go to an actual crypto investment platform, but "after gaining their trust over several months, tells them to move the investment to a site controlled by the fraudster." Thereafter, the money is "drained from the account."

According to victims interviewed by CNBC, the fact that they trusted LinkedIn as a platform for networking lent credibility to the investment offers. 

Ragan told CNBC that "the FBI has seen an increase in this particular investment fraud," which the outlet said "is different from a long-running scam in which the criminal pretends to show a romantic interest in the subject to persuade them to part with their money."

A screenshot of the scam reporting page on LinkedIn's website.
Linkedin

In a statement published yesterday, LinkedIn encouraged users to report suspicious profiles. The company's director of trust, privacy and equity Oscar Rodriguez told CNBC that "trying to identify what is fake and what is not fake is incredibly difficult."

LinkedIn's article urges users to "only connect with people you know and trust" and to "be wary of... people asking you for money who you don't know in person." The company added "This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings."

It also lists "job postings that sound too good to be true or that ask you to pay anything upfront" and "romantic messages or gestures, which are not appropriate on our platform" as signs of potential fraud attempts.

The company isn't fully relying on its users reporting suspicious accounts as its only defense against scammers on its platform. "While our defenses catch the vast majority of abusive activity, our members can also help keep LinkedIn safe, trusted, and professional," Rodriguez wrote in the statement. LinkedIn also reported that "96% of detected fake accounts and 99.1% of spam and scams are caught and removed by our automated defenses."

FTC says victims of crypto scams have lost more than $1 billion since 2021

Posted on by

The world of crypto continues to draw scam artists and fraud. People have reported losing a combined total of over $1 billion due to crypto scams since the beginning of 2021, according to an FTC report released today. From January 2021 through March of this year, more than 46,000 individuals filed a crypto-related fraud report with the agency. The median individual reported loss in these reports was $2,600.

Perhaps ironically, the most common coins used in scams are also the most widely used, as well as a top stablecoin. A total of 70 percent of scams used Bitcoin as the payment method, followed by Tether (10 percent) and Ether (9 percent). Ether is the prime currency of choice for NFTs, a relatively new crypto market where fraudsters and hackers have thrived.

Crypto investment scams were the most common type of scam reported to the FTC, accounting for an estimated $575 million in losses. Normally these scams target amateur investors by promising them large returns in exchange for an initial investment.

“Investment scammers claim they can quickly and easily get huge returns for investors. But those crypto 'investments' go straight to a scammer’s wallet,” wrote the FTC’s Emma Fletcher in a blog post.

Romance scams also account for a large slice of reported scams, totaling $185 million in losses. Many of these scammers reach individuals by social media or dating apps. A type of dating app scam known as “pig slaughtering” — where criminals build a fake relationship with a victim in order to con them into investing in crypto — has become more common, reported CoinTelegraph.

It’s important to note that the FTC report is only a small snapshot of how much crypto fraud has truly occurred, since the agency is relying on direct reports submitted by victims. An FTC paper estimated that less than five percent of fraud victims reported it to a government entity, and likely an even smaller number report to the FTC. As crypto becomes more popular, the number of scams have also increased. Blockchain platform Chainanalysis estimated that illicit addresses received over $14 billion in crypto last year, nearly twice the amount in 2020.

Democratic lawmakers want FTC to investigate controversial identity firm ID.me

Posted on by

A group of Democratic lawmakers led by Senator Ron Wyden of Oregon is calling on the Federal Trade Commission to investigate ID.me, the controversial identification company best known for its work with the Internal Revenue Service. In a letter addressed to FTC Chair Lina Khan, the group suggests the firm misled the American public about the capabilities of its facial recognition technology.

Specifically, lawmakers point to a statement ID.me made at the start of the year. After CEO Blake Hall said the company did not use one-to-many facial recognition, an approach that involves matching images against those in a database, ID.me backtracked on those claims. It clarified it uses a “specific” one-to-many check during user enrollment to prevent identity theft.

Following that statement, the IRS began to distance itself from ID.me, announcing it would reconsider its use of the platform in late January. It subsequently began allowing taxpayers to authenticate their identity without the use of facial recognition. But as the letter points out, many state and federal agencies continue to require Americans to submit photos and documents to ID.me before they can access vital services, including unemployment insurance.

“Americans have particular reason to be concerned about the difference between these two types of facial recognition,” the senators write of ID.me’s turnaround, noting a one-to-many approach inevitably means millions of people will have their photographs “endlessly” accessed. “Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”

In making the statements it did, the group is asking the FTC to determine whether ID.me committed “deceptive and unfair business practices.” The company already faces an investigation from the House Oversight and Reform Committee. In a statement it shared with Bloomberg, ID.me declined to comment on the specific concerns mentioned in the letter from Senator Wyden. Instead, the company pointed to its track record of preventing unemployment fraud.

“ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options,” the company said. “We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”

Mining Capital Coin CEO indicted in $62 million crypto fraud scheme

Posted on by

Mining Capital Coin CEO and founder Luiz Capuci Jr. was — in an indictment unsealed yesterday — accused by the DOJ of allegedly running a $62 million global investment fraud scheme. He's the latest of severalcrypto company heads who have recently been similarly charged.

Through his company, Capuci convinced investors to purchase “Mining Packages," a global network of cryptocurrency mines that promised a certain return on investment every week. But instead of using investors’ funds to mine cryptocurrency as he promised, the DOJ alleges that Capuci diverted the funds to his own cryptocurrency wallets. Another MCC product known as “Trading Bots” operated under the same false pretenses. Capuci claimed that the bots operated in “very high frequency, being able to do thousands of trades per second” and promised investors daily returns.

“As he did with the Mining Packages, however, Capuci allegedly operated an investment fraud scheme with the Trading Bots and was not, as he promised, using MCC Trading Bots to generate income for investors, but instead was diverting the funds to himself and co-conspirators,” wrote the DOJ in its indictment.

MCC seemed to have all the workings of a pyramid scheme. Capuci recruited affiliates and promoters to lure investors. In return, he promised the promoters a number of lavish gifts, including Apple watches, iPads and luxury vehicles.

Currently the FBI’s Miami Field Office is investigating the case. The DOJ has charged Capuci, who is from Port St. Lucie, Florida, with conspiracy to commit wire fraud, conspiracy to commit securities fraud and conspiracy to commit international money laundering. If found guilty, he faces a maximum sentence of 45 years.

In a review of the cryptocurrency mining platform, crypto blogger Peter Obi noted that the combination of MCC’s $50 monthly fee for membership and its steep 3% withdrawal fee meant that investors were unlikely to make a profit unless they referred other investors. He pointed out that such a referral process was “particularly worrying” because it was consistent with other past crypto scams.

Indeed, a number of crypto leaders have been accused by authorities of running Ponzi schemes in recent years. Earlier this year the DOJ indicted Bitconnect founder Satishkumar Kurjibhai Kumbhani for allegedly running a $2 billion Ponzi scheme — believed to be the largest virtual currency pyramid scheme in history.

Capuci never registered his company with the SEC. The agency today issued a fraud alert for the company. According to the SEC press release, Capuci and his associates successfully convinced 65,535 investors to purchase mining packages worldwide and promised daily returns of one percent, paid weekly for over a year. In total, the group netted $8.1 million from the sale of the mining packages and $3.2 million from initiation fees.

UK police charge two teens in connection with Lapsus$ hacking group case

Posted on by

After arresting seven alleged members of the hacking group Lapsus$ last week, London police have charged two of them with multiple computer crimes. The teenagers, aged 16 and 17, remain in police custody in connection with the investigation. 

"Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data," the City of London Police said in a news release. "The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorized access to a program. They will both appear at Highbury Corner Magistrates Court this morning (April 1st)."

Lapsus$ claimed to have downloaded 37GB of Microsoft source code for key products like Bing and Cortana, along with mobile apps. They also reportedly compromised the security system of MFA company Okta, forcing the company to admit that it made a mistake in the way it handled the attack. 

One of the teens arrested was reportedly a 16-year-old Oxford resident known as "Breachbase" or "White," who has supposedly made the equivalent of $14 million in Bitcoin. London police have not released any names, however, nothing that the people charged are juveniles and that reporting any identifying information about them is prohibited. 

RIAA goes after NFT music website HitPiece

Posted on by

HitPiece may have already shut down its website after several artists spoke up about their work being used without their permission, but the Recording Industry Association of America (RIAA) isn't letting it off the hook. The organization has sent the attorney representing HitPiece a letter demanding the website and its founders to stop infringing on music IPs, to provide a complete list of site activities and to account for all NFTs that had been auctioned off. It also wants to know how much the website earned. HitPiece founder Rory Felton previously said that artists will get paid for sold digital goods that are associated with them, but the artists who spoke up are skeptical that they'll get anything.

In the letter, the group repeatedly called HitPiece a scam operation designed to exploit fans. RIAA's Chief Legal Officer Ken Doroshow said it used "buzzwords and jargon" to hide the fact that it didn't obtain the rights it needs and to make fans believe they were purchasing an article genuinely associated with an artist. Doroshow added: "While the operators appear to have taken the main HitPiece site offline for now, this move was necessary to ensure a fair accounting for the harm HitPiece and its operators have already done and to ensure that this site or copycats don't simply resume their scams under another name."

Although HitPiece branded itself as a platform for music NFTs, its founders claimed that it didn't actually sell any sound files. The RIAA argues, however, that it still used artists' name, images and copyrighted album art. Further, if it truly didn't sell any sound files, the RIAA says that "likely amounts to yet another form of fraud." 

Social media scammers stole at least $770 million in 2021

Posted on by

The last year has been a boon for social media scammers, according to a new report from the FTC. The agency says more than 95,000 people lost $770 million to scammers who found them via social media platforms in 2021. That’s more than double the $258 million they say scammers made off with in 2020.

The report doesn’t speculate on why there was such a big increase in 2021, but it notes that reports of scams have “soared” over the last five years. It also states that there was a “massive surge” in scams related to “bogus cryptocurrency investments” and that investment scams accounted for nearly $285 million — more than third — of the $770 million lost last year.

Romance scams have also “climbed to record highs in recent years,” according to the report. “These scams often start with a seemingly innocent friend request from a stranger, followed by sweet talk, and then, inevitably, a request for money,” the FTC says. Also prevalent are scams related to online shopping, most of which involve “undelivered goods” that were purchased as the result of an ad on social media.

Of note, Facebook and Instagram are the only two platforms named in the report. “More than a third of people who said they lost money to an online romance scam in 2021 said it began on Facebook or Instagram,” the report states. Likewise, the FTC says that Facebook and Instagram were the most commonly cited platform for reports of undelivered good, with the two apps cited in 9 out of 10 reports where a service was identified.

“We put significant resources towards tackling this kind of fraud and abuse,” a spokesperson for Meta said in a statement. “We also go beyond suspending and deleting accounts, Pages, and ads. We take legal action against those responsible when we can and always encourage people to report this behavior when they see it.”

Interestingly one of the FTC’s recommendations is that users try to opt out of targeted advertising when possible as scammers can “easily use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases.” The agency also recommends users lock down their privacy settings and to be wary of any messages asking for money, especially in the form of cryptocurrency or gift cards.