Last Updated: 2007-09-17 17:04:40 UTC
by John Bambenek (Version: 1)
An interesting aspect of the Ameritrade data breach last week was that according to their press release the only information stolen was "contact information" such as name, e-mail, phone number and address. Even though more sensitive data like SSNs and account numbers were in the compromised database, that information was "not taken". While this could be due to strong internal controls that prevented the theft, it is also possible that attackers simply weren't interested in that information (this is speculation). The theory is that pump-and-dump scams might be what this attacker had in mind, and not identity theft. The reality is that far more identifies have been compromised then have actually been used in theft.
In a related note, the United States Securities and Exchange Commission put out this press release detailing a pump-and-dump scam that netted near $3 Million USD for the scammer. In this case, the individual had cash-strapped companies give him a bunch of stock. He then used pump-and-dump spams to artificially inflate the stock, at which point he cashed out. The stock then fell when people realized the scam. The plea deals and agreements are recent, but most of these scams took place in 2002. With the continuing presence of pump-and-dump spam, people must still be making money with this scam. The Ameritrade data breach case means someone out there can target their e-mails for greater effectiveness. As is the case with phishing, the more "legitimate" an e-mail is or the perception that it comes from a known source makes phishing up to 8 times more successful.
John Bambenek, bambenek/at/gmail\dot\com
University of Illinois