Drapetomaniac

The Better Business Bureau says that for the first time in their history, they serviced over100 million service requests. Unfortunately, a large portion of service requests appear to be accessible online. When you make an online complaint with the BBB, the following information is kept:

• Complaint filed by:
• Complaint filed against:
• Complaint status:
• Case Description:
• Category:
• Case opened date:
• Case closed date:
• Desired Resolution:

The name and full contact information of the business and consumer, along with a full description of the business transaction, possibly including account numbers or doctors name and care.One of the primary problems is that the BBB sends out email updates and asks that people correspond by clicking on a vaguely obfuscated url. No password and user name is required. And because the e-mail is html rich text, the user doesn”t know what web site they”re visiting. But don worry, because it”s not a BBB domain, but rather a sub-domain of their vendor.For someone wanting to commit fraud, this is a gold mine. Criminals need an element of trust and to take advantage and knowing a complete back story and/or vendor gives the perfect opportunity. Add the BBB brand to the fraudulent pitch and people are more likely to default to trust in the new e-mail.Here is a brief time line showing how this information leak might have been used:

• February 2007 – BBB Warns of widespread Phishing
• May 2007 – 1400 Executives *infected* with a highly targeted trojan
• June 2007 – More widespread phishing
• August 2007 – BBB receives e-mails explaining they are violating their privacy policy and possibly HIPAA when it involves medical care
• Sept 2007 – More widespread phishing

It”s possible the major leak has nothing to the widespread phishing or the target phishing attacks where the criminal likely knew the executive would trust the BBB link.But let”s look at how easy it is to download a massive number of complaint records.To get the initial url, file an online complaint or Google:
“BBB CASE” “DAY PHONE”

This will bring up about 100 cases. Not a lot at first. You might even notice the urls are slightly secure.subdomain.vendor.com/complaint/view/########/c/zh9nf9

The last digits zh9nf9, are required to access the url. It”s difficult, but not impossible. What you can do easily is change the ######### to a number higher or lower to get to the next case.

However, there are handy links for downloading the entire complaint as rtf. That link looks more like:
subdomain.vendor.com/merge.php?
title=Download%20Complaint%20Form.cf.rtf
&bid=2396295
&cid=#######

Once you have one of those links, someone can write a simple script to increase and/or decrease the number and download as many records as they want. And they get a new population for every BBB server they find.

I found this simply by being an observant consumer and watching how my vendor was handling my data. Since the Better Business Bureau hasn”t responded for almost two months, at least consumers can make a choice, as opposed to the organization making the choice, about whether or not they want to continue entering data or want to address the information out there already.