dslreports logo
site
spacer

spacer
 
   
spc
story category
AT&T Hack Part of Larger ID Theft Scam
19,000 accounts 'immediately' used in phishing attempt
by Karl Bode 10:27AM Friday Sep 01 2006
The San Francisco Chronicle's David Lazarus has more on the AT&T hacking incident reported earlier this week. AT&T's press release on the issue didn't tell the whole story, he says, noting that internal documents obtained by the Chronicle "show that the security breach was only the first step in a more elaborate scam that involved bogus e-mail being sent to AT&T customers that attempted to trick them into revealing additional info that could be used for widespread fraud or identity theft."

The memo obtained by the Chronicle also notes that it wasn't AT&T's systems that were hacked, but "an AT&T vendor that operates an order processing computer" for the online DSL store. Once the info for those 19,000 users was obtained, it was "immediately" put to use in the scam, the paper states.
"The messages, ostensibly from "SBCdslstore.com," told recipients that "we recently tried to charge your credit card for your SBCdslstore.com order and it was rejected by the bank because it has no complete information. Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number."
AT&T tells the chronicle that while they did not mention the phishing aspect of the scam in their press release, individual customers were e-mailed and warned about the scam.

view:
topics flat nest 
moonpuppy

join:2000-08-21
Glen Burnie, MD

Where did it come from?

US or foriegn site?

Plus, using real order and CC numbers makes this fish VERY hard to spot.

Very good job on the scammer's part.

HonestEnd

join:2006-03-01
Sterling Heights, MI

Re: Where did it come from?

I agree, using real order and CC numbers would definently make it hard to spot the fish. I wouldn't be surprised if many people fell into their trap. Good move for the scammers, sad that it had to happen though.
bogey7806

join:2004-03-19
Here
kudos:1

Re: Where did it come from?

Real pros. They moved fast realizing AT&T would catch it soon. Probably took preventative measures to keep from being traced. We'll probably never catch them.

They really need to make this type of thing a severe felony where you're guaranteed a life of had prison life.

pa_grape
Premium
join:2006-07-24
Columbus, OH

Re: Where did it come from?

I completely agree! Lets take the scammers out of society for good. If and when they are ever caught, lock them up for good. Otherwise they will just get out and commit another scam.
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3
Yup... let's bring those Russians to the U.S. and charge them with a felony.

If you look at the histroy of many of these hacks/cracks (hope the P.C. police on both sides are happy) come from other countries... alot of them are in Russia.
--
"Wipe out the national deficit over night... Tax the stupid!" - about 50 gMail invites available. PM if you'd like one.

Transmaster
Don't Blame Me I Voted For Bill and Opus

join:2001-06-20
Cheyenne, WY

1 edit

Interesting contrast

Do you notice something. The recent boners pulled by the VA were shouted from the mountain tops as examples of the incompetence of the present administration, The "news" services rolled out the usual talking heads to pontificate on the whichness of why but when a civilian company like AT&T, or one of their out sourced flunkies looses this kind of personal information it is treated as just a news story. Even though in the case of the AT&T story there was an attempt to use the information in a phishing scam.

The stolen VA laptop which carried the Veteran's personal data was all encrypted and once it was recovered the FBI determined none of data was accessed. This doesn't excuse the VA, The worker had permission to work from his home, but had I been that person I would have insisted the VA install a safe in my house to keep this laptop, and any other sensitive information in or I wouldn't have taken the laptop out out the VA office where I worked.

I have worked with Medical records for 30 odd years and anytime I hear of such personal data getting out into the jungle. it really bothers me because the vast majority of us take exquisite care of the data we process.
--
The older I get the more I prefer the company of my dogs over that of man kind.

T1 Rocky

join:2002-11-15
Dallas, TX

SSL

When we signed up for dsl, they wanted my social security number which I refused to give to the salemans suprise. They took my account anyway and said someone would call back to confirm some security info but never did. I'm glad I didn't give it up now.
Jonbo298

join:2004-01-12
Council Bluffs, IA

Re: SSL

God forbid a company wants to verify its you signing up for service and not someone using your name to do it.
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

1 edit

Re: SSL

God forbid that customers understand the law and their rights as in not having to give up their social security number.

Learn of what you speak before you try to slam someone else.

Let me give you a quick lesson/example. It's AGAINST THE LAW for cable, in CA, to even ASK for the SSN.

You have every legal right to withhold your SSN number in, my guess, 95% of the people who ask for it - EVEN LOANS! Your SSN is and always was intended to administer your Social Security Account.. period.. not your phone company, not your cable, gas, electric, car loans, credit cards, and every other yahoo that wants it.

God forbid is right. That's what your state issued ID is for.
--
"Wipe out the national deficit over night... Tax the stupid!" - about 50 gMail invites available. PM if you'd like one.
stufried
Premium
join:2003-10-13

Re: SSL

The problem is that the SSN is already too compromised to do any good. Until 2001, these numbers were sold in commercial database files. Those files still around on many investigative databases.

State IDs are not standardized. We need to create a public id for people with some sort of rotating verification key (not just a PIN). Here is a simple (but not perfect idea).

When I put a fraud alert on my file, I could not get new credit without them calling me, but that only last 90 days. I am in the process of drafting a request to make it permenant, but this is deliberately made too difficult to get. I would like to put the additional requirement that I have to be called on my mobile phone before credit is granted.

I'd then like that mobile number and mail number in a hardened file that requires something like a letter to be sent to my previous address of record with a code that has to be punched in somewhere before it could be changed.

Our current system is too compromised. We need to invest in something more secure and we need to move it out several generations (rather than in minor increments).
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: SSL

I agree... however, to put it simple, there needs to be a dynamic checks system on creidt reporting and Congress needs to pass hard core legislation on restricting the use of the SSN.

It's NOT a nation ID number and needs to quit being used like one.

If anyone wants a point AGAINST a nation ID, look at the blown-out SSN fiasco we are faced with today and how THAT number was abused.
--
"Wipe out the national deficit over night... Tax the stupid!" - about 50 gMail invites available. PM if you'd like one.
moonpuppy

join:2000-08-21
Glen Burnie, MD

Re: SSL

said by fiberguy:

If anyone wants a point AGAINST a nation ID, look at the blown-out SSN fiasco we are faced with today and how THAT number was abused.
We already have a national ID system......it's called a Passport.
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: SSL

If we "already had a national ID system" then there would be no debate in congress on needing a "national ID card" now would there?

Do you have any idea how many people in the U.S. actually HAVE a passport? You know, that document that lets you travel outside the country?
--
"Wipe out the national deficit over night... Tax the stupid!" - about 50 gMail invites available. PM if you'd like one.
moonpuppy

join:2000-08-21
Glen Burnie, MD

1 edit

Re: SSL

said by fiberguy:

If we "already had a national ID system" then there would be no debate in congress on needing a "national ID card" now would there?

Do you have any idea how many people in the U.S. actually HAVE a passport? You know, that document that lets you travel outside the country?
While the passport is mostly used for travel outside the country, it is more than that. When you fill out an I-9 form, it is better than an ID card (driver's license) and SS card or birth certificate.

BTW, over 10 million were issued in 2005. Passports are good for 10 years (5 if you are under 18.)

EDIT: and Congress is debating this because they need something to crow about, another pork project and a vote to keep their jobs for the next election.
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: SSL

A passport is better than a driver's license, SS or birth cirt? No they aren't. Who told you that garbage? PLESAE tell me where on the form is says "passport desired"... all forms of ID are just as acceptable as the next.

10 million? What's the total population of the country? now figure out the percentage.

No.. a passport is not a nation ID card. And SOME members of congress want debate because they want more control over the people of the states.
--
"Wipe out the national deficit over night... Tax the stupid!" - about 50 gMail invites available. PM if you'd like one.
moonpuppy

join:2000-08-21
Glen Burnie, MD

Re: SSL

said by fiberguy:

A passport is better than a driver's license, SS or birth cirt? No they aren't. Who told you that garbage? PLESAE tell me where on the form is says "passport desired"... all forms of ID are just as acceptable as the next.
Look at an I-9 form. A passport does the job of a driver's license and birth certificate when determining eligibility to work in this country. Just because you have a driver's license, doesn't mean you can work in this country.

»www.uscis.gov/graphics/formsfee/···/i-9.htm

said by fiberguy:

10 million? What's the total population of the country? now figure out the percentage.
Because this country puts so much stake in the state ID's, most people, including you, don't see a need for a passport. Beginning 1/1/2008, you need a passport to go to Mexico or Canada (right next door.)

said by fiberguy:

No.. a passport is not a nation ID card. And SOME members of congress want debate because they want more control over the people of the states.
I can show it to a police officer and he has all the information he needs to run a check on me. My Maryland license doesn't even have my SS# on it. All he needs is my name and date of birth and he can find my DL number if he needs it.

The ONLY 2 things a driver's license does over a passport (within the country) is allow you to drive and establish an address. The latter is not even that reliable in many cases.

A system is already in place, time to use it.

Combat Chuck
Too Many Cannibals
Premium
join:2001-11-29
Verona, PA

Re: Where did it come from?

said by moonpuppy:

Plus, using real order and CC numbers makes this fish VERY hard to spot.
Only if your not looking for the first thing you should be looking for, emails asking for personal information.
--
Early to rise, early to bed;
Makes a man healthy but socially dead.

verolom

join:2002-03-23
Reston, VA

Oursourcing is great!

It saves money, it streamlines your business allowing you to concentrate on your strenghts, and, oh...

Shamayim
I already have a Messiah.
Premium
join:2002-09-23

1 edit

1 recommendation

Encrypt! encrypt! encrypt!

I'll repeat this comment again and again until I'm blue in the face or it happens, whichever comes first....

Legislation needs to be enacted requiring customer info databases to be encrypted. So that when they are stolen they are useless to the thieves. FELONY penalties for any hacked company that failed to encrypt.
--
"tick...tick...tick..."
»www.jtf.org/

djtim21
It's all good
Premium
join:2003-12-22
Lake Villa, IL

Re: Encrypt! encrypt! encrypt!

said by Shamayim:

I'll repeat this comment again and again until I'm blue in the face or it happens, whichever comes first....

Legislation needs to be enacted requiring customer info databases to be encrypted. So that when they are stolen they are useless to the thieves. FELONY penalties for any hacked company that failed to encrypt.
I believe that the intruders had access to the database, they didn't get a "copy" of it. I am just going by the original story from earlier this week. Encryption would have nothing to do with this, since they already got past the front door.

Of course I'm assuming allot here, but this sounds like a keylogger, break and take. The "scammers" just grabbed a bunch of info and put it to work as soon as they started getting info.

This also sounds like they had a plan in place before they grabbed the info. This was a smart robbery, not just your "Ohh...I've got some information who do I sell it to".
--
"All that is necessary for the triumph of evil is that good men do nothing.” - Edmund Burke

Derch
Premium
join:2004-10-16
Cross Plains, WI

Government needs to step in.

I think the government should worry more about security breaches at companies than Net Neutrality. These breaches affect more people and will cost more.

The FCC and or congress needs to start hearings and place CIO's and CTO's on the stand so that they can be held accountable.

dba
Resistance Is Futile
Premium
join:2004-02-05
Colorado Springs, CO

Go back to cold hard cash

Whenever some kind of transaction involves money, there is always all kinds of identification proof that are required, e.g. SS#, CC#, Bank Account #.

These numbers have become so everyday mundane numbers, given to pretty much any company that asks for it, that in my opinion these numbers have lost their importance.

Because these numbers have lost their real importance, some might wonder whether it wouldn't be better for people to revert to paying cash or paper checks for their transactions.

I wouldn't mind one less headache, from everyday life. Having to be careful of my credit, my SS # or what not is quite time consuming, if you ask me.

Its Friday, I'm in a ranting mood.
--
Signature file missing.

Michieru2
zzz zzz zzz
Premium
join:2005-01-28
Miami, FL

...

Can someone please tell me why are these accounts even accessible online? They should be only accessible from inside the business itself in a offline network. If it was a online store a manual connection to the offline network could be made transferring the accounts for the day and making this ID theft even lower at random hours of the day.

Why is AT&T trusting a vendor for customer information?
Why is AT&T passing customer information with a vendor?

As for these scammers I would love to break there necks if I ever get a hold of one. They do nothing more than cause people misery, and they continue simply out of greed.

owenhome
keeper of the magic blue smoke
Premium
join:2002-07-13
Bentonville, AR

Liars!

AT&T didn't get hacked in to! They are doing all this themselves to make up for what they won't be able to make off of us with that bogus fee! They know they won't get away with it, just like Verizon, so they had to come up with something else. So they take all of our personal information and use it for phishing attacks. They have to do it that way because if they just used our billing and payment information and flat stole from us, it would be too easily tracked back to them. This way, they can make us all think it's some back-water criminal!

See? Damn thieves!!!

J/K of course. But I wouldn't put it past them.
--
Never argue with a fool, people might not know the difference.

linicx
Caveat Emptor
Premium
join:2002-12-03
United State
Reviews:
·TracFone Wireless
·CenturyLink

2 recommendations

Geez!

The best way to dodge the bullet is to NOT reply to any email that asks for personal information. If you think it's legit, call the bank or company you do business with; put a personal password on it. If you think it isn't, hit the delete button.

The people who perpetuate this kind of attacks target corporations with a large database of consumer information. They count on human nature to believe their *trusted* scheme.
--
Mac: No windows, No gates, Apple inside

Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

An email that says "Do not trust email"

"AT&T tells the chronicle that while they did not mention the phishing aspect of the scam in their press release, individual customers were e-mailed and warned about the scam."

I see some problems with AT&T's solution to notification.

1. How can AT&T be sure a spam filter won't interfere with delivery of their notification?
2. How could AT&T be sure that some of it's customers wouldn't decide that of the 2 emails in question that the AT&T email was the bogus one? Particulary when there were no mention of the threat in the press.
3. Sending email is not the solution to bogus email.