Sunday, July 1, 2012

Using the Internet Crime Complaint Center (The IC3)


This is part 5 of “Fighting the BMW Spam Machine”

To my International guests, don’t go away quite yet. If you are the victim of cybercrime and the perpetrator is in the USA, you can file a complaint through the IC3 too!

Today I am going to walk you through filing an IC3 Complaint. The IC3 is the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. Their Home page is at http://www.ic3.gov/default.aspx



It’s really worth reading the information about the types of crimes handled and the processes at http://www.ic3.gov/faq/default.aspx#item1.

Let’s get started. Today we’ll use BMW of Mt Laurel, The Holman Automotive Group, and BMW of North America as examples in filing the spam/harassment complaint. Holman Automotive is the Parent Company of BMW of Mt. Laurel and appears to allow them to disregard federal laws regarding spam. BMW of North America profits from Holman Automotive selling cars for them and do not seem to be inclined to take away the dealership if it is operated with illegal practices.

In the picture above I am going to click on the “File a Complaint” link. This takes me to http://www.ic3.gov/complaint/default.aspx, which I am not going to print a screen shot of. It basically says you are telling the truth and that due to state laws your complaint may not remain confidential. I don’t think that is an issue for me today! I’ll click the “Accept” button.

The complaint process uses SSL to keep the information confidential as you transmit it to the IC3. Here’s the first screen



The next screen is easy enough


And then…


The next screen is too long to post here. It includes your contact information, specific questions about the entity you are reporting, the evidence you may have, and many other things that are usually not too hard to figure out.

Below is the information I submitted to the IC3 about the incident.

"On 5/19/2011 I received spam from BMW of Mt. Laurel, a Holman Automotive Group company. I replied indicating I believed it was spam. The opt out did not work as they require scripts that might not be safe. The opt out page should use no scripting. The company did not respond to me. I have a copy of my response that includes the original email and I can print it out. On 11/21/2011 I received another spam from Holman Automotive and again on 11/29/2011. I posted a message to Facebook and received a message back on November 30 indicating that if I sent them my email address they would remove me. I have email copies of every thing except my comment to them on Facebook. I have email with their reply. I sent them copies of the spam on 11/30/2011. On 12/12/2011 I received more spam from BMW of Mt. Laurel. I emailed customer service at Holman Automotive and at BMW of Mt. Laurel and told them to remove me from their mailing list once again. On 1/25/2012 I received more spam from "Wendy Morgan" at BMW of Mt. Laurel. I emailed more than a dozen employees of BMW of Mt. Laurel and Holman Automotive telling them to stop spamming me and nobody replied. On 2/3/2012 I emailed Comcast and CC'd Holman Automotive and BMW North America. I asked Comcast to block the spammers, but they did not. Holman Automotive ignored the request and BMW of North America returned a form letter telling me they appreciate my comments. I also sent a complaint with the spam to the FTC, but no action has been taken against the spammers who repeatedly defy the canned spam act. I sent another email to BMW of Mt. Laurel, The Holman Automotive Group, and BMW of North America and told them all to stop spamming me. I sent an email specifically to BMW of North America and told them to remove my email address from their lists and have it removed from all of their dealer's lists. I received an email the same day (2/3/12) from a "Wendy Morgan" who assured me she would attend to it immediately and put a "total block" on all the email addresses I previously provided. On 2/7/ I received a reply from BMW of North America and they said "BMW of North America, LLC is not responsible for the marketing promotions and mailings of individual BMW centers.  We suggest contacting the marketing representative at BMW of Mt. Laurel.  They will be in the best position to assist in researching your inquiry for future mailings.". I replied indicating the contacting BMW of Mt. Laurel doesn't work and that they should not be supporting illegal activities by their dealers. BMW of NA responded and asked for my phone number, which I provided. BMW of NA replied that they would research and call me back. They did not. On 5/24/2012 I received more spam form "Wendy Morgan" on behalf of BMW of Mt. Laurel. I replied back to BMW of Mt. Laurel, Holman Automotive, BMW of NA and the German BMW headquarters. So far there has been no response from BMW of Mt. Laurel, or Holman Automotive. BMW USA said they would not put a stop to the spamming on a phone call. BMW AG (Germany) replied they would have their IT look into it. It really is time that BMW of Mt. Laurel and Holman Automotive cease the harassment and comply with the canned spam act. If possible I would like criminal harassment charges filed. I also filed another complaint with the FTC, but the FTC indicated they do not pursue individual complaints. I again asked Comcast to stop their customer from illegal spamming, but Comcast did not indicate that they would take any effective action."

I have filed a complaint with the New Jersey Better Business Bureau, however the attacker is not accredited by the BBB.

I am happy to print out and provide all relevant correspondence.

Following this write up I am asked to provide details of contact I made with the attacker, and any law enforcement or consumer advocacy agencies, including the Better Business Bureau.

On the next page I confirm the information and then submit. The last is as follows…

A couple of minutes later I received an email from the IC3 with my case number and a password.

You can use the IC3 to report all kinds of Internet crimes, you just need to know the resource is there.

My next blog on the subject will deal with how BMW of Mt. Laurel lied to the Better Business Bureau in response to my complaint, and the folks at BMW HQ who know about it. If BMW of Mt. Laurel, and or BMW North America, and/or BMW AG have any comments I'll post those as well.

Left to do... Check on the feasibility of filing suit in New Jersey, and retain a lawyer to file civil suit for CAN Spam act violations. 

Part 1 - Fighting the BMW Spam Machine
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-1.html

Part 2 - An Open Letter to BMW AG
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-2.html

Part 3 - How to Get A the Attention of a Global Corporation
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-3.html

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-4.html

©2012 Randy Abrams - Independent Security Analyst

Sunday, June 10, 2012

Facebook Lists – The Respectful Way to Use Apps


Back in April I posted Spam Nation - Disintegrating RespectOne Friend at a Time  in an attempt to help people reduce Facebook spam and treat one another with more respect. Some people “got it” and made changes to their app settings, but other people, people I like and respect, still are spamming their friends with notices about Bejeweled Blitz, videos they saw on SocialCam or Vimmy, stories they read on the Washington Post Social Reader, or what song they are listening to on whatever music spamming app they use to listen to music on.

I wondered why these normally polite people were still allowing their apps to spam all of their friends and I came up with three possible answers. It’s possible they didn’t understand the post. I try to make these things as understandable to as wide an audience as I can, but individuals often learn differently and maybe for some I wasn’t really clear. If that’s the case, please let me know so I can be a better educator. The second reason, and the one I think is probably the least likely, is that they really don’t care who they spam about what. I don’t think that most of my friends are like that though. The third reason, and the one I suspect is the most common one, is that they have friends that they want to share this stuff with and that they want to see. If I’m playing Words with Friends, I might want to know what other friends who play are doing too.

If you are one of those friends, or a friend of yours referred you here and this is true for you, then today I will teach you how to share with your friends who want to know while respecting the rest of your friends enough to not let your apps spam them.

The little trick here is something called lists. Of course there isn’t a link on your home page called “lists”, but it’s easy to make one. Once you make a list you can tell the apps to only send notifications to that list. This is really easy and here is how you do it!

On the left side of your newsfeed you have a grouping called “Friends”. If you hold your mouse over the word “FRIENDS” then on the right you see the word “MORE”. If this step isn’t working for you, ask me for help!

 
When you click on “MORE” you will see a screen like the one below, only it is probably longer. See at the top where it says “Create List”? Click that!


Now you get to the Create New List screen. Choose a name for your list and then start typing in the names of the friends you want to be on your list. As soon as you have a letter or two the friend’s name and icon will appear.


See (below) how I only had to type in two letters to get a list of friends whose names start with those two letters? I just click on the friend and move on to the next friend. It is really fast and easy.


Now when you go to add an app notice the part that says “Who can see posts this app makes for you on your timeline. This really should say “Control whose newsfeed we are going to spam”. In the picture below, see where I have circled “FRIENDS” in red? That is where you select who the app talks to.



Many apps default to everyone or friends. I’m going to change this to my new list that I titled “App Lovers Anonymous”.



Now all the app chatter only is seen by the people I put on my “App Lovers Anonymous” list, and not in the news feed of my friends who couldn’t care less if I play bejeweled or not.

We aren’t quite done yet. There is still the issue of the apps you already installed. It’s time to fix their spammy behavior problem!

Go to that little down arrow by the word “Home” in the upper right corner of your screen and choose “Account Settings”.

The next thing is to click on “APPS”.
On the right you will see a list of your installed apps.

  
Next to each app click the “Edit” link. You have to do this step for each individual app.



Now you see in the lower corner where this app is set to spam "Everyone"? I’m going to click on “Everyone” and change it to my new list “App Lovers Anonymous”.


Repeat this step for each app and now you will share with those who want the information and stop spamming the rest of the world!

Seriously, these apps don’t post all that stuff to save you the effort, they post to your timeline because it is free spam-vertising. These App publishers know that they can leverage you to spam all of your connections if you don’t limit their audience by choice. Please be considerate of your friends and only share the app messages with those who want to know it. Most of your friends probably don’t want to know what video you just watched, what songs you listen to all day, or what game you have been playing.

You can create separate lists for music, games, videos and social readers, or put them all in one or two lists. You really can share with your gaming buddies and stop annoying the rest of your friends!!!

If you want to use lists and I haven’t explained this well enough, leave me a comment here or contact me at Facebook (https://www.facebook.com/Mr.Randy.Abrams) and I will happily assist you!!!

Remember, it’s up to all of us to make Facebook a kinder, more respectful place by reducing the unwanted spam we can control! Share this with those who need the information, and use the information if you use apps!

Special thanks to my awesome friends Anders Nillson, Christina Ho, Kenneth Bechtel, Lisa Wolfenbarger-Wagner, Larry Bridwell, Mary Donovan, Natalie Moreno, and my sister (If I say awesome sister she’ll report to the FBI, again, that my identity was stolen by an imposter) for allowing me to use them as research guinea pigs for this article. I learned that you can’t use a group for app notifications, it has to be a list. Also, if you name a group “App Lovers Anonymous” Facebook with tell your friends that you added them to a group called “Lovers Anonymous”.

You may republish, or translate and republish this specific blog posting at no cost as long as you don't charge others for it. It would also be nice if you let me know if you republish. Thanks!

©2012 Randy Abrams - Independent Security Analyst

Friday, June 8, 2012

Fighting the BMW Spam Machine – Part 4


Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible

Previously I emailed copies of my correspondence and complaint to uce@ftc.gov. You can pass along any spam messages there. Now I will show you how to file a complaint against a company online. Note that the FTC will not take an action on behalf of an individual, but as the number of complaints mount, the offender gets noticed by the FTC and action will be taken if there are enough complaints. This isn’t just for spam either, it covers a wide range of consumer protection complaints.

To start, go to http://www.ftc.gov and click on the consumer complaint link.


This actually takes you to https://www.ftccomplaintassistant.gov when you click on the complaint form link to start the complaint.


Page 1 you should be able to fill out without my help and page 2 asks if you are a member of the armed forces. I do not know how that information is used.

The next screen looks like this


As soon as I checked “Email Spam” it progressed to the next screen.

I selected both “I am getting spam e-mails and I want them to stop” and “I can’t opt out of receiving e-mails from this company” because both are true. In addition to the fact that BMW of Mt. Laurel’s opt out page doesn’t work if you don’t allow client side scripting (that means let them run a program on your computer), but even when they tell me they will stop spamming me they keep doing it anyway.

Next you let the FTC know if you know anything about the company you are complaining about. I’m going to say yes.


Most of the information I need to fill out the next page is at http://www.bmwofmtlaurel.com/, although some of it came from their spam.


Here I click “+ Add another company” because I am also naming The Holman Automotive Group and BMW of North America. For the Holman Automotive Group the Better Business Bureau had some contact information even though the business is not accredited. The process was even easier for BMW of North America as their contact page has all of the details.

 
The next step is easy enough


Step 4 is to confirm your contact information so you don’t need a picture of that.

In step 5 you can provide additional information, but it is a bit scary that the FTC’s spell checker doesn’t know the words “spam” or “spamming”

One final confirmation of all of the information and you get your very own case number!!!

 
The beauty of social networking is that you can reach out to others who are getting spammed or otherwise cheated by companies and organize a complaint campaign to get the bad guys on the FTC’s radar.

So far still no word from BMW of Mt. Laurel, BMW of North America, or BMW AG, but I’m pretty sure they know there’s a disturbance in the force!

Now to move on to filing complaints with State Attorney Generals and to let you know how you can do that too!

For background see:

Part 1 - Fighting the BMW Spam Machine
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-1.html

Part 2 - An Open Letter to BMW AG
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-2.html

Part 3 - How to Get A the Attention of a Global Corporation
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-3.html

Part 5 - Using the Internet Crime Complaint Center (The IC3)
http://randy-abrams.blogspot.com/2012/07/using-internet-crime-complaint-center.html

©2012 Randy Abrams - Independent Security Analyst

Fighting the BMW Spam Machine – Part 3


How to Get A the Attention of a Global Corporation

In Part two I wrote an open letter to BMW AG, but like a tree falling in a forest with nobody to hear it, you don’t know if an unread letter made a sound or not. The trick is how do you get the attention of company like BMW?

The answer is you do a little research and you use some leverage.

It didn’t take long for me to find http://www.bmw.com/com/en/general/contact/contact.html, and that gives me the email addresses of several BMW employees in Germany who can either address my concerns or make sure they are addressed.

I decided to start with MS Christel Reynaerts, Head of International Corporate Sales. It is important not to include everyone in the same email as that may trigger some spam filters. Additionally, you want to change the text, at least a little, in each message or multiple duplicate messages may trigger spam filters and the recipients will not know that there is a problem they need to deal with.


You might message them and ask what they are doing to stop BMW spam!

In this case, since BMW is a German company and their Distributor is operating in the USA, I can also contact the German Ambassador to the US to let him know how poorly his countrymen are representing Germany and ask for assistance in getting BMW to stop allowing a US company to use their logo in spam runs. I suspect the Ambassador has more important things to do and will make sure someone else makes sure that this isn’t going to be a distraction any longer.

Additional steps on the “to do” list include:

File a complaint with the Attorney General for Washington State.
File a complaint with the Attorney General in New Jersey.
Check with the FBI to see if there is a potential criminal harassment complaint since BMW of Mt. Vernon refuses to stop emailing me,
Research legal options for a civil lawsuit against BMW of Mt. Laurel, Holman Automotive Group, and BMW of North America.

Time to send a bunch of emails to BMW employees now. The firstname.lastname format of employees at BMW.com tells me there is a reasonable chance that I can also email senior management at the company as well!

I’ll post more as I learn more or take more actions.

For background see


Part 2 - An Open Letter to BMW AG
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-2.html

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-4.html
 
Part 5 - Using the Internet Crime Complaint Center (The IC3)
http://randy-abrams.blogspot.com/2012/07/using-internet-crime-complaint-center.html

©2012 Randy Abrams - Independent Security Analyst

Fighting the BMW Spam Machine – Part 2


An Open Letter to BMW AG

Dear BMW,

The fact that you have successful business is not an excuse to abandon basic human decency. Relentlessly harassing people in order to peddle products in not acceptable behavior and tends to indicate that you believe it is necessary to cajole people into buying your products because your products lack sufficient quality to sell themselves.

Going into another country and setting up a legal corporation to encourage local businesses to flaunt the laws of the land is not being a responsible world citizen. Your authorized representative “BMW of Mt. Laurel” has been engaging in a spam campaign for more than a year now. I have repeatedly asked them to stop spamming me and they refuse to honor legitimate requests or comply with US legislation against unwanted commercial emails. BMW of North America appears to be completely supportive of the illegal tactics and refuses to take any actions to stop BMW of Mt. Laurel from continuously spamming me. At this point it would be reasonable to assume that BMW AG approves of BMW of North America’s support for illegal and unethical spamming, but If I am wrong, feel free to reply and let me know how you intend to put an end to the spamming and to force BMW of Mt. Laurel to compensate me for the relentless harassment.

I do understand that BMW of North America is technically a separate legal entity, and that BMW of Mt. Laurel is a separate legal entity, however, they cannot use the BMW trademark if you do not allow them to represent you as common spammers, like they currently do. If you cannot revoke their licensed representation for failing to abide by the laws of the country they do business in, then you need to hire competent legal representation to write our contracts for you.

If you will not put an end to the spamming then I must assume it is how your company chooses to operate and continue to shed light upon your lawlessness and lack of basic human decency.

Sincerely,

James “Randy” Abrams

Part 1 - Fighting the BMW Spam Machine
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-1.html

Part 3 - How to Get A the Attention of a Global Corporation
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-3.html

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-4.html

Part 5 - Using the Internet Crime Complaint Center (The IC3)
http://randy-abrams.blogspot.com/2012/07/using-internet-crime-complaint-center.html

©2012 Randy Abrams - Independent Security Analyst

Thursday, June 7, 2012

Fighting the BMW Spam Machine – Part 1


In this series I will take you along on a fight against a sleazy, unrepentant, relentless spammer. Together we will discover if the US canned spam act, and or any state laws have any real teeth in fighting a known spammer doing business in the United States of America.

The spam story starts back in May of 2011 when I receive spam from BMW of Mt. Laurel, an a dealer in New Jersey that is a part of a company called  Holman Automotive. Why a BMW dealer in New Jersey is spamming a guy in the State of Washington is beyond me, but I asked them to stop.

In November 2011 I received more spam from BMW of Mt. Laurel. I contacted BMW of Mt Laurel again and they said they would remove my name from their list. In December 2011 I received more spam and again requested that they remove me from their spam list.

In January 2012 Wendy Morgan of BMW of Mt. Laurel continues her relentless spamming and blatant disregard for federal legislation and so I contact BMW of Mt. Laurel, Holman Automotive Group and BMW USA and demand that the spamming stop. Wendy Morgan assured me that the spamming would stop. BMW USA will not intervene or sever their relations with a dealer who violates federal laws. BMW USA did ask for my number so they could contact me, and I did provide it, but they did not follow up.

Come May 2012 and BMW of Mt. Laurel is spamming me again. Holman Automotive, and BMW of Mt. Laurel refuse to respond to demands to stop spamming me and BMW USA refuses to do anything. This time BMW USA did call to let me know they would not do anything.

In part 2 of this posting I will guide readers through the process of filing an online complaint with the FTC. After that I will continue with walking readers through how to file a civil suit against spammers who refuse to comply with federal legislation.

Let’s see if an individual can take a stand against sleazy spammers like BMW of Mt. Laurel and perhaps see if BMW USA does have an obligation to assist in preventing their affiliates from spamming.

Part 2 - An Open Letter to BMW AG
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-2.html

Part 3 - How to Get A the Attention of a Global Corporation
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-3.html

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible
http://randy-abrams.blogspot.com/2012/06/fighting-bmw-spam-machine-part-4.html

Part 5 - Using the Internet Crime Complaint Center (The IC3)
http://randy-abrams.blogspot.com/2012/07/using-internet-crime-complaint-center.html

©2012 Randy Abrams - Independent Security Analyst

The LastPass LinkedIn Password Checker


LastPass has put up a web page for users to check to see if their LinkedIn password was one of the ones whose has was leaked. As you know if you read my blog “Dumb, Dumb, and Dumber, I don’t think it’s a good idea to give someone else your LinkedIn password. The catch here is that LastPass, in case you don’t know, is a password management program. In other words, you already trust them with all of your passwords, so why not type in your LinkedIn password on their web site? Let’s add one more item to this discussion, LastPass got it right in that the web page uses SSL, the hash of the password is encrypted when it is sent over the web.

It may seem logical that there is no problem, but this is not the case. To start with, you don’t trust LastPass to know your passwords, you trust them to provide a program that helps you to manage your passwords. LastPass is not supposed to know any of your passwords other than the master password that allows you to access your passwords. I will concede that this is a very fine distinction, but if LastPass does not honor that explicit trust then they cannot be trusted. I do believe that LastPass is legitimate and does not access your passwords.

Here is the reason why you still do not enter your password, even at the trusted, properly implemented LastPass.com website. The reason is because you do not need to make an exception to The Two Rules You Damned Well Better Know and if you do it for no good reason because you think it is safe, you’ll probably do it for something that seems like a good reason, but is really a phishing attack.

In the case of LinkedIn, we know that 6.5 million password hashes were leaked, we don’t know if more were accessed and not leaked. Change your password. It doesn’t matter what a web site tells you, change the password to be safe!!! Now, since you need to change it anyway, why do you need to know if someone thinks it may or may not have been compromised? I know, the same reason I entered mine in…. curiosity. I only used my LinkedIn password in one place and I changed it BEFORE I checked to see if it had been leaked, so it was not my password when I entered it! I would never give anyone a password I was using or planned to ever use again at any time.

©2012 Randy Abrams - Independent Security Analyst