Risk
9/5/2012
04:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

U.S. Secret Service Probes Extortion Attempt Claiming Theft Of Romney's Tax Returns

Security experts say scammers' claims sound fishy, Price Waterhouse Coopers says 'no evidence' of breach

The U.S. Secret Service is investigating a bizarre case involving claims of an alleged theft of Republican presidential nominee Mitt Romney's tax records and a $1 million ransom fee in exchange for keeping them under wraps.

A Secret Service spokesperson confirmed reports that the agency is investigating the case, but declined to comment further. An unnamed person or group recently posted on Pastebin that they had accessed the Franklin, Tenn.-based offices of Price Waterhouse Cooper and copied onto USB sticks Romney's 1040 tax return documents for years prior to 2010 and sent copies to local Democratic and Republican party offices. "The group will release all available files to the public on the 28 of September, 2012," an online post says.

The alleged attackers say they got inside the PWC offices on August 25, duping a man in the building to provide them access. "Once on the 3rd floor, the team moved down the stairs to the 2nd floor and setup shop in an empty office room. During the night, suite 260 was entered, and all available 1040 tax forms for Romney were copied. A package was sent to the PWC on suite 260 with a flash drive containing a copy of the 1040 files, plus copies were sent to the Democratic office in the county and copies were sent to the GOP office in the county at the beginning of the week also containing flash drives with copies of Romney's tax returns before 2010. A scanned signature image for Mitt Romney from the 1040 forms were scanned and included with the packages, taken from earlier 1040 tax forms gathered and stored on the flash drives," the post says.

Meanwhile, a PWC spokesperson says there's no evidence of the theft. "We are aware of the allegations that have been made regarding improper access to our systems. We are working closely with the United States Secret Service, and at this time there is no evidence that our systems have been compromised or that there was any unauthorized access to the data in question," the spokesperson said.

The Nashville City Paper reported that the attackers demanded $1 million in Bitcoins to keep the records from being posted for all to see. They said they will send an encrypted copy of the recent files to major media outlets, and they'll withhold the encryption key if PWC pays up. "And the same time, the other interested parties will be allowed to compete with you. For those that DO want the documents released will have an different address to send to. If $1,000,000 USD is sent to this account below first; then the encryption keys will be made available to the world right away. So this is an equal opportunity for the documents to remain locked away forever or to be exposed before the September 28 deadline," the alleged attackerswrote in a new post yesterday that was specifically addressed to PWC.

Security experts were skeptical about the validity of the claims by the anonymous blackmailers, however. "What's interesting about this is that they provided some details to indicate it's real, but not enough," says Robert Graham, CEO at Errata Security, who says the claims have a 30% chance of being true. "The correct way to do this is like with the FBI dump, to provide some independently verifiable details. They didn't do that, so it's probably false. To do this correctly, they have to: one, provide a detail that only somebody with the tax returns can know; two, put up the encrypted file as a bittorrent."

Graham also pointed out why the Bitcoins demand just doesn't add up: "BitCoins aren't anonymous as people think, nor is the market liquid enough to handle a $1 million transaction," he says.

The perpetrators appear to have mixed a little a social engineering to bypass physical security with some basic hoovering of information, mainly from paper to the USB stick. "If the story is true, it would be a classic case study in the need to have better physical security," says Stephen Cobb, security evangelist for ESET.

It's unclear whether the attackers actually stole some information from a computer or scanned or photographed hard copies of the returns, he says. "It sounds like these were paper records" they copied onto the USBs, he says.

And Cobb also concurs that one of the weakest links of the alleged caper is the Bitcoin demand: "Getting paid is always the hardest part of a scam," he says. "Choosing Bitcoin ... sounds odd."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web