PayPal Phishers Use Malaysian Government Portal

An antispam researcher has uncovered a phishing scam that uses computers belonging to both a medical transcription outsourcing company and the Government of Malaysia.

The scam was discovered by Bill Carton, an engineer based in San Diego who has spent the last ten years as a volunteer antispam activist, shutting down bulk e-mailers in his spare time. Carton received an e-mail Friday morning that purported to be from eBay's PayPal service.

It read like a standard phishing pitch: "It has come to our attention that your account information needs to be updated," the e-mail said. "If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service."

What was unusual, however, was the fact that the link in the e-mail was to a fake PayPal site hosted by servers in the Malaysian government's gov.my domain.

"This one was interesting because of the Malaysian angle. A government server usually gets my attention," Carton said.

'Secure' Sites Co-opted
Closer investigation revealed that computers from another trusted source had been used to send out the phishing e-mail.

"The compromised mail server used to relay the spam and scrub off any evidence of where the spammer is, was not the typical home cable customer with a zombie infection, but Rxdocuments.com," Carton said. "They boast of having HIPAA-compliant software for patient privacy, but they were compromised and used as a spam-spewing relay. How trustworthy is that?"

Paul Laudanski, owner of Computer Cops and the leader of the Phishing Incident Reporting and Termination squad project, examined the phishing e-mail and agreed it appeared to have been relayed by Rxdocuments.

Rxdocuments.com provides dictation transcription services for physicians. It bills its products as "cost-effective, secure transcription adhering to the highest professional, ethical, and legal standards," according to the company's Web site.

Neither Rxdocuments.com, nor the Government of Malaysia responded to requests for comment. Rxdocuments.com is headquartered in Miami, but the Web site is registered to RxDocuments, in Bangalore, India, according to the Whois database, which tracks domain registration.

This is not the first time that the gov.my Web site been used by phishers, according to Laudanski. It has been used at least four other times since April of this year to spoof brands such as Chase, Citibank, and eBay, he said.

Aggressive Phishing
Phishers have become increasingly sophisticated as criminals have realized that there is real money to be made in online fraud. Research company Gartner estimates that U.S. consumers will lose $2.8 billion to phishing in 2006, with the average attack netting $1244.

"There's definitely more of it than we've seen ever," said Dave Jevans, chairman of the Anti-Phishing Working Group. "Spam has gone up hugely in the last two months and the volume of phishing has gone up with that," he said.

Jevans agreed said that this latest PayPal scam is unusual.

"It's interesting because it's basically two entities that you would think would have security nailed down," he said.

Police blotter : Child porn in Web cache OK

"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Pennsylvania man appealed his conviction for knowingly possessing downloaded child pornography, saying he didn't know it was in his Web browser's cache.

When: The Pennsylvania Superior Court ruled on November 2.

Outcome: Court threw out conviction, saying state law criminalized only knowingly possessing child pornography, not simply viewing it.

What happened, according to court documents:
Anthony Diodoro was convicted of 30 counts of child pornography possession and one count of criminal use of a communication facility. He was sentenced to 9 months to 23 months in prison.

His conviction arose out of a slightly unusual situation: Prosecutors successfully proved that Diodoro had viewed child pornography sites and pointed to his Web browser's cache as evidence. (A browser cache is a temporary storage location for Web pages, so that if the same page is visited again, it can be quickly reloaded from the hard drive.)

But prosecutors did not prove that Diodoro actually knew the illegal images were saved to the cache, a common situation for novice users.

That's crucial, because section 6312(d) of Pennsylvania's criminal code says: "Any person who knowingly possesses or controls any book, magazine, pamphlet, slide, photograph, film, videotape, computer depiction or other material depicting a child under the age of 18 years engaging in a prohibited sexual act or in the simulation of such acts commits an offense."

The judges agreed that Diodoro viewed child pornography (some 370 images worth, in fact) but ruled that the wording of the law only criminalized knowingly possessing it. They reversed his conviction.

This is different from other cases that have appeared on Police Blotter in the past. In July, the 9th Circuit upheld a defendant's child porn conviction, in part because the evidence showed he looked at the cached images. In a case involving a Naval officer, he allegedly had saved images in addition to cached images.

In another case, called U.S. v. Tucker, the 10th Circuit upheld a defendant's conviction because he cleared his Web browser's cache to avoid being caught with saved child porn. The logic: Because he knew about the existence of the cache, he had knowingly possessed the images at least temporarily.

This is another odd result of laws written during a time when contraband existed only in physical form. It implies, for instance, that it would be perfectly legal to watch (though not distribute) child porn videos streamed through a site like YouTube, and that it would be legal to browse child porn Web pages if a browser's cache was disabled.

Excerpts from the Pennsylvania court's opinion
This is an issue of first impression in Pennsylvania. We have found no case exactly on point in which a conviction for "possession" of child pornography for simply viewing it on a Web site without any evidence that the defendant knew the image was being saved on the computer's hard drive. In cases from other jurisdictions affirming such convictions, there was evidence that the defendant knew the images were being stored, and usually distinguished those cases from the situation where the defendant merely viewed the images without knowing they were being stored. Those cases point out that to establish possession, a defendant must know that the image is being stored, so he or she knows he or she has the ability to save, print, or e-mail the images to others.

We note that it is well within the power of the legislature to criminalize the act of viewing child pornography on a Web site without saving the image. The language used in section 6712(d), however, is simply "possession." Because this is a penal statute with an ambiguous term when it comes to computer technology, it must be construed strictly and in favor of the defendant. A defendant must have fair notice that his conduct is criminal. Because of the ambiguity, sufficient notice was not provided here. For this reason, we are constrained to reverse and leave it to the legislature to clarify the language if it intends to make the mere "viewing" of child pornography a crime.

At trial, the commonwealth's computer forensics expert testified that when a Web site is viewed, the image is automatically saved to an Internet cache file. The purpose is to save time, so that if the site is viewed again, the old file can be quickly uploaded rather than requiring the time to reload the file...

We hold that absent specific statutory language prohibiting the mere viewing of pornographic images or evidence that the defendant knowingly downloaded or saved pornographic images to his hard drive or knew that the Web browser cached the images, he cannot be not criminally liable for viewing images on his computer screen. Therefore, we conclude that the evidence was insufficient to sustain Diodoro's conviction for knowing possession of child pornography under section 6312(d).

When Off-the-Rack Software Doesn't Fit

Does packaged small-business accounting software fall short of your needs? Consider software for which source code is available.

"One size fits all" is one of the biggest lies in clothing. Similarly, the notion that one accounting application can be suitable for all small businesses is one of the biggest myths in computing.

Small-business accounting applications such as Intuit Quickbooks, Microsoft Office Accounting (formerly Small Business Accounting), and Peachtree and Simply Accounting from Sage Software are popular tools to help you manage business operations and keep track of finances. But while they are capable and cost-effective, they are not necessarily best for every business.

If you run an off-the-rack type of small business, you can be quite satisfied with the capabilities of these packaged business management applications. Some are available in several editions; typically, the more expensive versions permit additional users and add specialized capabilities such as time billing and project tracking. However, if your business has special requirements, using a packaged application can be like wearing a jacket with sleeves that are uncomfortably short.

Recognizing these limitations, vendors of accounting packages have added some customization capabilities in recent versions that may help out. For example, you can remove unneeded features from program menus, and also create custom reports. You can add new fields to displays and reports. One of my clients even added a birth date field to his accounting application's customer database, so he could track birthdays and send a congratulatory card to each buyer.

When Shrink-Wrapped Isn't Enough
But sometimes such customization features are just not enough. Perhaps you deal with your customers in a unique way or offer more options for your products than does the competition. In that case you have two choices: Adapt your business operations to the software available, or adapt software to meet your business requirements. If changing your business operations feels like shortening your arms to fit a jacket, how should you handle changing the software?

While you can start programming an accounting application from scratch (or, more probably, hire someone to do so), that's much like re-inventing the wheel. If you require a custom solution, it's usually more cost-effective to start with something that comes close to what you need, then modify the source code to deliver a precise fit.

Applications for which source code is available should not be confused with open-source software. Open-source business accounting programs such as TurboCash and SQL Ledger do have source code available. However, not all applications for which source code is available are open source. Some, such as Open Systems' OSAS and Sage Software's Sage Pro, are licensed under more traditional terms and require payment to use the software.

Bringing in a Pro

Modifying the source code for an accounting application requires more technical knowledge than installing a packaged application. You may need support from a contract programmer or experienced consultant. You can often get good leads to qualified professionals from the application developer or a product support bulletin board.

Once you've got your modified software, be sure to test it thoroughly to ensure that it works as you expect. I recommend running it in parallel with your existing system for a minimum of three months. Compare the results each month to see if the overall totals agree. If they don't, stay with your original program until you get concurrence for at least two months running. Yes, this means extra work, but it's one of the costs that must be factored into your decision to go the custom route.

Examine the capabilities of packaged applications and their customization options carefully before rejecting them. Sometimes a business assumes its needs are unique when, in fact, thousands of other companies have similar requirements and software to deal with them is already available. But if your business operations are truly different, there's nothing better than the fit you can get from accounting software based on customized source code.