NASSAU BAY, Texas – From data breaches at Target to Neiman Marcus, identity thieves have set their sights on tens-of-millions of shoppers’ personal information.
Now there’s a warning about another threat to your identity. It’s one you probably never thought of.
But, as the KHOU 11 News I-Team found, it’s already cost a Harris County businesswoman thousands of dollars.
It started when Leeanne Rambin, owner of Empire Creative Marketing, was contacted about an order.
At first, nothing seemed unusual.
“The type of work we do, everything’s different and it’s always changing,” Rambin explained.
The new client wanted 1,000 USB drives printed with the company’s name and logo.
That company, GVIC Business Solutions, told Rambin the flash drives were going to be given away to potential customers.
Rambin says she was excited about the large order that came in right before Christmas.
As a precaution, she checked out the company’s website, and required it to pay for the order upfront.
She says there were no red flags, and soon GVIC Business Solutions wanted 1,000 more USB drives.
Even better, another new client, a company claiming to be a Florida-based energy supplier, wanted 1,000 customized USB drives too.
But Rambin’s excitement over the sudden surge in orders was short-lived.
“I mean it blew my mind,” said Rambin shaking her head at the memory. “I was devastated.”
It turned out the credit card numbers used for the orders were stolen. Rambin says she eventually discovered that neither of the actual cardholders knew anything about the orders.
On-line records show the website GVIC Business Solutions set-up was registered just days before the so-called company contacted Rambin.
And the company’s physical address?
The I-Team found it was actually a parcel-forwarding service based in Indiana.
“Everything looks like fraud in this case,” explained cyber security expert Dan Clements.
Clements, who is President of the cyber intelligence company IntelCrawler, believes the USB drives may have been ordered with company names and logos in an effort to gain the trust of would-be targets.
“It looks sinister because of all the preemptive steps that were taken,” Clements said of the USB drive orders. “It seems to be a much bigger, coordinated operation. That’s our opinion.”
Clements says once the drive is put into someone’s computer they could be exposed to whatever has been loaded onto them.
“And whammo, they have a virus on their computer!” said Clements. “It’s logging their keystrokes. They (identity thieves) could get into their (victims’) bank accounts. There’s all kinds of ways that a USB stick could be used.”
But in this age of identity theft, would people really use computer hardware if they didn’t know where it came from?
To answer that question, the 11 News I-Team loaded blank USB drives with a warning, then placed them in a bowl. Then we placed that bowl in a coffee shop in the Heights with a sign welcoming anyone to “take one”.
It took just minutes before people were grabbing the drives and stuffing them into their pockets.
“I was curious about it,” explained one man who took a free drive.
Another customer told us he wouldn’t have given a second thought to popping the flash drive he took into his computer.
“Had we put something bad on that, and you put it in your computer, you could have been compromised,” the I-Team told him.
“That’s true,” the man admitted. “That’s true.”
And it’s a big threat, according to Clements.
“If the USB stick was used in a company or a government office, and it was somebody that had control of their computer systems, it could propagate and give complete control of their organization to the attacker,” warned Clements. “They could basically own that organization.”
Those are the kinds of what-if’s Rambin tries not to think about.
“I felt very violated,” she said. “I was in the middle of a scam I had basically facilitated.”
It’s why, even though Rambin knows it could hurt her business, she wants you to remember, when it comes to computers, there’s no such thing as a free lunch.
“Maybe others will be warned,” Rambin told the I-Team. “Maybe others will think twice before taking a random USB drive from a company they don’t know.”
Rambin was able to stop two of the three fraudulent orders before they shipped.
However, she was stuck paying the manufacturer for 1,000 of the printed USB drives.
The I-Team could not find any record that either of the two companies that placed the orders are registered in the states where they’re supposedly based.
In response to an e-mail asking about the situation, GVIC Business Solutions wrote, “This is issue will be resolved shortly sorry for any inconveniences.”
But, so far, Rambin says no one from the company had offered to pay for the USB drives sent to GVIC Business Solutions.
Shortly after the I-Team contacted GVIC Business Solutions, a message appeared on the company’s website saying the site was unavailable.
The company has also not responded to messages left on a telephone number given to Rambin or answered an e-mail asking the company to provide a contact name and phone number.
Brian Weninger, the founder of South Carolina-based Sky Energy Inc. said the logo, e-mail, and telephone number used by the Florida company that ordered the USB drives was not affiliated with his company.
There also does not appear to be any connection between GVIC Business Solutions and other companies with similar names.