Archives for : November2017

NZ Man in court over alleged $1.2m scammed from pensioners


A 48-YEAR-OLD Kiwi has been extradited back from New Zealand to face 21 boiler room fraud charges that police claim stripped retirees of their superannuation and others to the tune of $1.2 million.

The man, who is due to appear in Maroochydore Magistrates Court this afternoon, was the alleged ringleader of the Gold Coast-based scam, police claim.

Victims were lured into the scam with cold calls or by visiting websites set up by the group, Detective Senior Sergeant Daren Edwards alleged.

They were drip fed a small amount of cash to get them to pour more in.

He said the “callous” alleged fraudster had blown most of the $1.2 million on a luxury Gold Coast lifestyle and police did not yet have any assets to strip from the man.

“It was to do with safe racing and betting,” Sen Sgt Edwards said.

“Some of the allegations are that some of the complainants received some of the funding back so they appeared they were getting returns however that was just a phoenix set up. Once an investor put money in they would drip feed some of the other investors money to give the false impression they were getting money,” he alleged.

Snr Sgt Edwards alleged one West Australian victim invested $300,000 into the scam while another Sunshine Coast man in his 70s put in more than $70,000.

A second man has been charged on the Gold Coast.


Henry Sapiecha

Smart label helping beat counterfeiters

China-based company WaliMai has developed RFID-based anti-counterfeit labels that are fixed to a product to let consumers know for certain that it is genuine. Matthew Stock reports.

Smart label helping beat counterfeiters

STORY: Counterfeiting in China is big business. Knock-off goods range from designer handbags and cosmetics, to food and medicines. The 2008 tainted milk scandal caused domestic consumers to be wary of made-in-China milk products, leading to a rise in imports from the West. Those imports became a prime target for counterfeiters. The WaliMai anti-counterfeit label aims to help parents know for sure their baby formula is genuine. SOUNDBITE (English) ALEXANDER BUSAROV, CO-FOUNDER & CEO OF WALIMAI, SAYING: “The way it works for the consumer is that they come to the shop, they take their mobile phone, they touch the label with their mobile phone. It takes about 2 seconds for the confirmation and re-writing of the codes. And then the first piece of information that they get is that it’s actually authentic. Then to add on to that there’s all the information on the logistic supply chain so they can see where the product was produced, where it was packed, where it entered the country that they’re in – in our case it’s China – when it was checked in our warehouse, and also they can see their own scan.” WaliMai says they have ‘banking-level’ security inside. The embedded RFID chip has a re-writable memory, changing with every scan. They say this makes it virtually impossible to counterfeit. Each label is single use; and is destroyed when the product is opened. SOUNDBITE (English) ALEXANDER BUSAROV, CO-FOUNDER & CEO OF WALIMAI, SAYING: “There’s an antenna within the label which gets torn and it’s very difficult to put it back together; you basically need a lab for that which acts as a deterrent for a counterfeiter to actually deal with it.” WaliMai’s smart label will soon be used on bottles of alcohol – another sector battling Chinese counterfeiters. The company hopes the technology could one day help tackle the huge global problem of counterfeit pharmaceuticals.


Henry Sapiecha

Million-dollar visa scam leaves migrants $50,000 out of pocket, boss drives Porsche

A million-dollar jobs and visa scam that promised to help find work for hopeful migrants in regional areas has left dozens up to $50,000 out of pocket while the plan’s architect lives in a $3 million mansion and drives a brand-new Porsche.


Lubo Jack Raskovic exits his car. Pic Nick Moir 10 nov 2017

Lubo Jack Raskovic exits his car. Pic Nick Moir 10 nov 2017


A recruitment agency run by former banned company director Lubo Jack Raskovic out of an office block in Sydney’s north west, promised to help find migrants sponsored jobs and a pathway to visas in exchange for asking fees as high as $70,000.

“He said he can find the right guy in my field – if I want [visa] sponsorship, he can help,” said Melbourne-based mechanic and former client, Harmandeep Brar.

A joint SBS-Fairfax Media investigation can also reveal Mr Raskovic, 59, and his company, Global Skills and Business Services Pty Ltd, offered to pay cash to employers in regional areas, in return for jobs and visas.

“He works for a different company, All Borders Pty Limited – set up just weeks before Global Skills went broke.”

Employer Chris Olm, from Chris’s Welding & Steel in Chinchilla in Queensland’s Western Downs Region, said he was offered $10,000 if he took on a worker and sponsored them for a visa. After pestering Mr Raskovic for his payment, he was told he would be paid in cash.

“He said, ‘do you want money in cash’ (and) I said, ‘just put it in my bank account. Who f–kin’ deals in cash, how dodgy is this,” Mr Olm said.

Former clients said they discovered the business through word of mouth or Facebook posts. Most spent months trying to source a job though Mr Raskovic but eventually ended up seeking a refund which was never granted in full, and in many cases not at all. Some left Australia ruined.

Last month Mr Raskovic placed Global Skills, of which he is sole director and shareholder, into liquidation with debts of around $2.5 million, leaving 45 creditors, mostly Indian migrants, out of pocket.

According to corporate records the company had “nil” assets when it was wound up. But just 10 months earlier Mr Raskovic bought a $3 million mansion in Bella Vista – described by real estate agents as “one of the Hills district’s finest homes” – and purchased a new $100,000 black Porsche Cayenne station wagon, under a separate business entity.

He works for a different company, All Borders Pty Limited – set up just weeks before Global Skills went broke – and operates from the same office under a similar business model. It’s owned by his partner, Neo Tau, who shares his Bella Vista mansion.

Forced to return to India

Suneel Kumar Kocherla, 41, said he lost around $30,000 to Global Skills, which promised to help him find a regional job.

He was desperate to find a way to remain in the country two years ago and searched for recruitment companies. He accepted a contract with Global Skills and agreed to pay $40,000.

In return, Global Skills agreed to provide “recruitment services” that included “gathering CVs and requesting references”, “facilitating interviews and placement opportunities” and “supporting the offer and acceptance process”. A job is not guaranteed, however clients are entitled to a refund of their fees paid less reasonable expenses if employment lasts for less than 12 months.

In April 2015, he received a written job offer from the chief executive of a landscaping company on Queensland’s Sunshine Coast.

A “letter of engagement” sighted by SBS and Fairfax Media purports to show the landscaping business offering him a job. The company’s boss said he had never heard of Mr Raskovic or his company Global Skills. “Never have I entered into an agreement with anyone to do with that stuff,” the firm’s boss said.

Asked to respond to the allegations, Mr Raskovic said he had advice not to talk. He did not respond to written questions.

After several other jobs failed to eventuate, Mr Kocherla, who has two young children, was forced to leave Australia and return to India.

Clients, employers in the same boat

Clients aren’t the only ones angry at Mr Raskovic. Employers claim they were offered cash payments in exchange for either taking on a migrant worker or sponsoring a visa outcome, but never received them.

Under new laws introduced in December 2015, it is illegal to offer or provide money in exchange for a sponsored work-visa arrangement. Maximum penalties for individuals are up to $50,400 per offence which rises to $252,000 for bodies corporate.

Mr Raskovic declined to answer questions on the payment of fees, however internal documents seen by SBS and Fairfax Media refer on one occasion to a “training fee” of $10,000 offered to employers.

Mr Olm said the $10,000 he was promised would only be handed over after the visa had been granted.

“Once they get approved, we are supposed to get 10 grand,” he said.

When he met the worker he said he didn’t have the necessary experience, but kept him on anyway.

“I was happy to keep him, I mean they siphoned 50 grand out of the kid,” he said.

After the worker received his visa, Mr Olm rang Mr Raskovic to collect his payment.

But Mr Olm said he never received the money and is now considering legal action.

Another business owner, Garry Rogers, who runs the Noosaville Meat Markets, north of Brisbane, said he was offered as much as $10,000 to take on a migrant worker.

“I was told I could get five grand, maybe 10, if he stayed on,” he said.


Ankur paid $50,000 to Global Skills and Business Services for a job that never eventuated.

He was eventually fired after two months. He claims that the job was primarily a manual labour role despite the employment contract describing it as a mechanic role.

“I told them ‘you find the wrong job for us’ … I haven’t worked with a diesel machine,” he said.

He demanded his money back from Mr Raskovic’s company but said he has received nothing.

Another claims he is owed $35,000 on the promise of a managerial position. He does not want to be identified because his parents in India still do not know he lost the money.

He ended up driving between Brisbane and Roma – a 500-kilometre journey –  going door-to-door looking for work.

“I slept in the car and I went town to town,” he said.

‘A more legal way of doing his business’

Schon Condon was appointed as the liquidator of Global Skills and met with Mr Raskovic last month.

“He said he had lost a legal action and was looking at reinventing a better way – and presumably a more legal way – of doing his business,” Mr Condon said.

At the meeting Mr Raskovic indicated the company had no assets. But the joint SBS-Fairfax Media investigation has uncovered text messages and emails from January 2017 from Raskovic’s company asking clients to pay money into a Westpac account.


Ankur has never received a refund. His calls to Jack Raskovic go unanswered.

According to invoices obtained by SBS and Fairfax Media, in the six months before Global Skills was put into liquidation, two companies linked to Mr Raskovic sought payment for almost $1 million for services including rent, management fees and consultants fees for Mr Raskovic himself.

While the company was still solvent, clients were told to deposit their money into an account linked to a separate entity owned by Mr Raskovic, which holds the title for his $3 million Bella Vista Waters home, and a number of cars including a Black Porsche station wagon purchased earlier this year.

Already disqualified

Mr Raskovic has previously been disqualified from managing companies for four years from 2008 after the Australian Securities and Investments Commission found he allowed three companies to trade while insolvent.

Global Skills and Business Services Pty Ltd also continues to be identified as operating another recruitment website – – which promises to connect job seekers with employers who “in many cases… are able to provide Regional Sponsored Migration Scheme and 457 [visa] sponsorships.”

According to contracts seen by SBS and Fairfax Media, a company linked to Mr Raskovic would offer job-spotters a $2000 payment for finding work for migrants that would lead to a visa application. Instalments would be paid upon job placement with the remainder “upon completion, lodgement and approval of all requisite employer sponsorship documentation”.

Jee Eun Han, executive manager at Australian Immigration Law Services, said it was not uncommon for migrants seeking visas to be exploited or lose their money through such schemes.

“The most common story from them is, ‘I paid huge money to the job broker or recruitment agent for employer to sponsor them for visa, even though the job never existed and they paid more than $50,000 sometimes,” she said.

“Just put yourself in their shoes – you are overseas, living there for a few years, you may have kids as well, and you’re trying to find a job and secure your visa and now you’re being targeted by the scammer.”


Henry Sapiecha



Google: Our hunt for hackers reveals phishing is far deadlier than data breaches

Phishing attackers just love using Gmail.


Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches, because of the additional information phishers collect.

Hardly a week goes by without a new data breach being discovered, exposing victims to account hijacking if they used the same username and password on multiple online accounts.

While data breaches are bad news for internet users, Google’s study finds that phishing is a much more dangerous threat to its users in terms of account hijacking.

In partnership with the University of California Berkeley, Google pointed its web crawlers at public hacker forums and paste sites to look for potential credential leaks. They also accessed several private hacker forums.

The blackhat search turned up 1.9 billion credentials exposed by data breaches affecting users of MySpace, Adobe, LinkedIn, Dropbox and several dating sites. The vast majority of the credentials found were being traded on private forums.

Despite the huge numbers, only seven percent of credentials exposed in data breaches match the password currently being used by its billion Gmail users, whereas a quarter of 3.8 million credentials exposed in phishing attacks match the current Google password.

The study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that falls to 10 times for victims of a data breach. The difference is due to the type of information that so-called phishing kits collect.

Phishing kits contain prepackaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking. They’re often uploaded to compromised websites, and automatically email captured credentials to the attacker’s account.

Phishing kits enable a higher rate of account hijacking because they capture the same details that Google uses in its risk assessment when users login, such as victim’s geolocation, secret questions, phone numbers, and device identifiers.

The researchers find that 83 percent of 10,000 phishing kits collect victims’ geolocation, while 18 percent collect phone numbers. By comparison, fewer than 0.1 percent of keyloggers collect phone details and secret questions.

The study finds that 41 percent of phishing kit users are from Nigeria based on the geolocation of the last sign-in to a Gmail account used to receive stolen credentials. The next biggest group is US phishing-kit users, who account for 11 percent.

Interestingly, the researchers found that 72 percent of the phishing kits use a Gmail account to send captured credentials to the attacker. By comparison, only 6.8 percent used Yahoo, the second most popular service for phishing-kit operators. The phishing kits sent were sending 234,887 potentially valid credentials every week.

Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study. Yahoo phishing victims follow at 12 percent. However, Yahoo and Hotmail users are the largest group of leaked credential victims, both representing 19 percent, followed by Gmail at 12 percent.

They also found most victims of phishing were from the US, whereas most victims of keyloggers were from Brazil.

The researchers note that two-factor authentication can mitigate the threat of phishing, but acknowledges that ease of use is an obstacle to adoption.


Previous and related coverage

Google’s new Gmail security: If you’re a high-value target, you’ll use physical keys

Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.

Gmail Docs phishing attack: Google targets devs with tighter web app ID checks

New manual reviews for web applications may to take up to seven days

Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing

Google vows to do more to prevent a repeat of last week’s fake Docs phishing attack.


Henry Sapiecha

Yet another Cunning Netflix Phish That Just will not Die

The email hits your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It’s not. Instead, it’s a phishing scam that collects extensive personal data on victims. But as with all of the most pernicious phishes, the problem with the Netflix phish isn’t just its convincing look—it’s that whoever’s behind it has found new ways to bypass spam filters over and over again.


While the Netflix phish has garnered recent headlines, it dates back at least to January, when threat researchers at the security firm FireEye first detected it. It prompts victims to type in their username and password, and then presents a form to update their billing information (things like full name, date of birth, address, and phone number). After that, another form asks them to validate their payment method by entering their credit card info. Some versions of the phish even ask for a Social Security number.

Deep Deception

As with many social engineering attacks, its outward simplicity helps ensnare potential victims. Underneath that exterior, though, researchers who have tracked the campaign say that it uses a clever combination of defense measures to make it harder for spam filters, antivirus programs, and phishing scanners to flag.

Richard Hummel, the manager of technical analysis at FireEye, says that he still sees attackers using some of the same subject lines for Netflix phishing emails that they did almost a year ago. “They’re not even varying their tactics all that much,” he says. “What they’re doing is working, it’s successful. Netflix is still one of the common themes that’s used for credential theft. It’s definitely something that’s still ongoing—steady and recurring.”

While the Netflix phish is outwardly straightforward, it does include a lot of clever touches. It replicates a lot the HTML Netflix uses on its actual website, to make the fake pages look as genuine as possible. The login pages even include autofilling backsplashes that promote Netflix original content. The phishing emails also use a template system, to personalize the messages by autofilling each victim’s name at the beginning.

The evasive maneuvers go even deeper. Some versions of the campaign encrypt user-side HTML in the phishing pages, so scanners can’t inspect the code for malicious components. The phishing pages also have a defense in place where they won’t load for IP addresses that trace back to known internet security monitoring groups, like Google, or the anti-phishing initiative PhishTank. All of this makes it easier for phishers to run the Netflix scam again and again, because their infrastructure hasn’t been flagged on security and spam blacklists.

Most importantly, the Netflix phishers use a well-known technique of compromising legitimate web accounts or web servers, and hosting their phishing pages off of those services. By hosting the pages on sites that have been around for a while and weren’t previously malicious, the attackers buy time on URLs that have credibility (known online as a good reputation score) and won’t be flagged by security scanners. Analysts at the email scanning and security group MailGuard found that in this go-around the Netflix phishers have been using compromised WordPress blogs to host their malicious pages.

This type of approach can be used to launch phishing attacks based off of all different brands and services. Aaron Higbee, CTO of the phishing defense firm PhishMe, says the company has tracked the same types of phishing campaign infrastructure to impersonate brands like Chase, Comcast, TD Bank, and Wells Fargo. And he notes that the system can perpetuate itself. Some of the stolen credentials attackers get out of the scam may include reused credentials for accounts and web servers that the phishers can then compromise and use to launch more attacks.

Safety Steps

The good news is that users can protect themselves by following the standard advice about phishing. To confirm who really sent an email, click on the downward arrow next to the sender’s name in Gmail. It’ll expand to show the full info. Hover over any links to confirm that they lead to the URLs they claim. Make account changes by navigating, on your own, to a site itself, and log in there instead of going through an email link. Don’t reuse passwords. And view any emails that push you to act right away with suspicion.

“Unfortunately, these scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information,” Netflix said in a statement.

There’s a lot at stake. Researchers say that the Netflix phishers also likely sell the victim data they collect to dark-web processors looking for bulk data, credit card numbers, and even just active Netflix accounts that they can resell for a few dollars.

“There are a number of motives here,” Higbee says. “And I know I’m going to sound like a broken record, but if your email address password is the same as your entertainment passwords you’re really setting yourself up for disaster. Your email address password needs to be different even if you don’t vary all your passwords. That alone will prevent a lot of damage.”

You might as well commit those tips to memory—especially with an attack like the Netflix phish that’s been around for months, and isn’t slowing down.


Henry Sapiecha

How to Keep Your Bitcoin Safe and Secure from scammers & hackers so Watch These Videos


Owning cryptocurrency isn’t quite the Wild West experience it was at the beginning of the decade, but investors still face plenty of instability and risk. The threats aren’t just abstract or theoretical; new scams crop up, and old ones resurge, all the time. Whether it’s a fake wallet set up to trick users, a phishing attempt to steal private cryptographic keys, or even fake cryptocurrency schemes, there’s something to watch out for at every turn.

Cryptocurrencies can feel secure, because they decentralize and often anonymize digital transactions. They also validate everything on public, tamper-resistant blockchains. But those measures don’t make cryptocurrencies any less susceptible to the types of simple, time-honored scams grifters have relied on in other venues. Just this week, scams have arisen that divert funds from users’ mining rigs to malicious wallets, because victims forgot to change default login credentials. Search engine phishing scams that tout malicious trading sites over legitimate exchanges have also spiked. And a trojan called CryptoShuffler has stolen thousands of dollars by lurking on computers, and spying on Bitcoin wallet addresses that land in copy/paste clipboards.

A few simple steps, though, can help cryptocurrency proponents—be it Bitcoin or Monero or anything between—guard against a swath of common attacks. Just as you might keep your cash out of plain sight, or stash your jewelry in a safe deposit box, it pays to put a little effort into how you manage your cryptocurrency. The following won’t defend against every conceivable attack on your digital doubloons, but it’s a good place to start.

Cold, Hard (Digital) Cash

A key step to protecting your cryptocurrency is to store anything of significant value in a hardware wallet—a physical device, like a USB drive, that stores your private keys and currency locally, and isn’t connected to the internet. Experts caution against storing large amounts of coins through cryptocurrency exchanges, or in digital wallet apps on your smartphone or computer. The public-facing internet offers an attacker too many inroads to attempt to infiltrate your wallet, or trick you into giving them access.

Secure hardware wallets like Trezor or the Ledger Nano S cost about $100 or less and have a straightforward setup. You just choose a PIN number and a recovery “seed” (usually a set of words and numbers) in case you forget your PIN, or your wallet malfunctions. It’s pretty robust security, so make sure you keep copies of your PIN and seed somewhere accessible to you, but not to home intruders. Recovering currency stored on a hardware wallet after losing both the PIN and the seed is a whole thing. Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University, goes so far as to suggest that you should “keep a backup of the seed key in a fireproof safe.” This stuff is for real.

Your setup also doesn’t have to be fancy; you can store backups of your coins on any external storage device, like a portable hard drive. Just make sure to encrypt the data in case the device is lost or stolen. You might even consider making a backup to leave in a safe deposit box.

Big Spender

The downside to a hardware wallet is that it makes approving transactions a bit cumbersome. If you want more fluid access to your cryptocurrency, experts suggest storing a small amount in a wallet app to facilitate low-value transactions. The key here: Only keep an amount you would be willing to lose in the app, and never give anyone your private key.

Apps like Mycelium Wallet that are interoperable with popular hardware wallets can make your setup more seamless. And some app-based options like Samourai Wallet are working to prioritize robust encryption and privacy features. Still, don’t trust any app with too much cryptocash right now.


Additionally, consider where you store your private keys, the secret part of the public-private key set that lets you authorize revisions to a blockchain. Always keep them encrypted, and try to avoid leaving them lying around on devices that you use all the time for a lot of different tasks, like your personal PC.

Also consider your transactions carefully. There are tons of established, reliable institutions, but gimmicky new cryptocurrencies crop up all the time, as well as questionable Initial Coin Offerings that could have nothing behind them but scammers on the move. When the cryptocurrency OneCoin, marketed as a Bitcoin competitor, launched this year people bought about $350 million-worth of the coins—which has since drawn comparisons to a Ponzi scheme. And people are even being scammed during legitimate ICOs when attackers launch phishing attacks around the events, or trick would-be investors into sending money to fake wallets. (The Securities and Exchange Commission is poking hard on this.)

Nail the Basics

It’s also important to remember that all the small things you’re already doing (right?) to protect your general digital life help defend your cryptocurrency as well. “We encourage all customers to take a few foundational, and free, actions to put them on a much more stable security footing,” says Philip Martin, director of security at the cryptocurrency exchange platform Coinbase. “Use a password manager, use two-factor authentication, leverage enhanced security protocols for your email address.”

For the especially concerned, Martin even suggests turning on Gmail’s new Advanced Protection feature, and/or adding defenses like a PIN or password to your phone number to make it harder for attackers to grab control of your accounts by transferring your SIM to their own device.

All of these suggestions bolster your general digital security hygiene, but they are particularly helpful for reducing your exposure to the most simple (sometimes impressively so) cryptocurrency scams that can take advantage of small things, like a reused password and no second authentication requirement, to walk in the front door of one of your accounts.

Take that CryptoShuffler trojan, which originally emerged more than a year ago and has been making the rounds again this week. It shows just how basic cryptocurrency scams can be. The malware works by lurking silently on a victim’s computer and passively monitoring their clipboard, waiting for the victim to copy a Bitcoin wallet address. When it sees a string of numbers that looks right, CryptoShuffler simply starts swapping the wallet ID the victim copied for its own malicious wallet address in payment fields. If the victim doesn’t spot the change, the transaction goes through and the coins go to the crooks.

The best way to defend against an attack like that (if your malware scanner doesn’t detect the intrusion) is simply watching all transactions carefully, and taking steps to safeguard your assets so you know your data hasn’t been exposed.

And once you have the basics in place, make sure your friends adopt the same mindset. The more secure the ecosystem, the less attractive a target it is to bad actors. “Help newcomers to crypto with their security,” Cornell’s Sirer says. “The area is new and we need to support the people who are just finding their way in.”

Luckily, you don’t need to be a cryptography expert to take the basic security steps that will protect you against the majority of attacks. And seriously, if nothing else, don’t lose that wallet seed.