[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Diamond Prize Center internal documents not secure ...

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Diamond Prize Center internal documents not secure ...
From: James Malberry <jamesny10028@xxxxxxxxxxx>
Date: Thu, 9 Oct 2008 17:00:16 -0700

Here's an actual tele marketing script to get you to goto a timeshare 
presentation. I do not work for diamond prize, nor a former employee. I am a 
tax accountant that has a background in Information Technology. Their Company 
site, www.diamondprizecenter.com a single webpage that is password protected.  
I did not hack this website, google crawled on their site (and all sites) and 
cached one of their training pages which I have reproduced below.If this email 
does make it back to DPC, I suggest the following:
 
1) Rewrite your script(s), without brainer.
2) I highly suggest that you remove sarcastic comments
3) In the beginning of the script, you should state your *purpose* of the call
4) Also suggested is to ask the prospect if they entered for a car in the last 
90days
 
Buried in the script is an admission that 1 in 4 people actually stay during 
the whole 90min presentation. Whoever is left, gets a scratch off to see who 
gets what prize. I would post plain and clear on your website as to how your 
contest is "State registered for the last 22 years".  Such a claim could border 
on fraud, and this email is already in the hands of state's attorney generals, 
and Department of Consumer Affairs.
The site also features 'recruitment pages' in order for current agents to earn 
referral bonus. These pages are under the main DPC domain name. typical format 
is: www.diamondprizecenter.com/(recruiter's nickname).
 
If you *are* Damien Tackett, founder of Tackett, LLC, you have not done the due 
diligence required to maintain your company’s security. You may decide to keep 
your single password box to internal documents; however, you should not have 
your documents in clear text after that. I would zip them, encrypt them, rotate 
the passwords based on training cycle.
 
Or you do what larger corporations do: Install a DMZ on your network, and put 
up a password box there, so an agent can authenticate through the DMZ and onto 
the internal network where your internal training documents SHOULD be. 
Considering how everything is on one server, online, I presume that all your 
DPC listings are there as well, and if your DPC list is complete without regard 
to any security, those W9s that you require agents to fill in can be stolen.
 
It would take an actual hacker and disregard for the law to steal corporate 
data. I am a white hat system's analyst. I publically point out problems 
concerning companies' IT procedures.
 
Through your homepage on your public domain, there is an admission by DPC that 
someone is posing as DPC and is engaged in a fake check scam. Whether your 
victim or perpetrator, the general public must be aware that they could get a 
fake check from DPC urging the consumer to cash it.  Granted, on your page, you 
are talking to federal authorities on the matter and have warned consumers 
about the fake check scam, again, your due diligence is not completely 
fulfilled.  Have you actually contacted all the consumers that your company 
sent to those QA's [qualified appointments] in the first place? Im not talking 
email here, Im talking about actual hard-copy letters stating that DPC was 
targeted in a fake check scam.
 
When I experienced a data loss of income tax records, I immediately sent all 
clients a hardcopy letter describing the data loss, and information about 
identity theft, and contact information for the three credit bearu’s with their 
800 lines advising clients to put themselves on a fraud watch list for six 
months. That, sir, is due diligence.
 
If and when things at DPC get back to normal, you also need to perform due 
diligence on fully disclosing the 1099 status for agents. Sure, you mention 
that its work at home, and 1099, meaning self employed, but its buried on the 
site.  You must use everyday language as to what the tax implications of 
becoming a 1099 contractor actually is. Your spamming of Christian message 
boards illustrates this point.
 
A word about taxes and your script. DPC agents frequently talk about that 
there's no single men because they didn't pay their taxes on the car they won. 
As a company, your diligence is giving the contest winning a W9 to fill in that 
discloses his or her social security number.  Your responsibility is limited to 
reporting the income earnings to the IRS. The IRS is responsible for tax 
collection, not you, not DPC, nor any of your agents.  If the taxpayer does not 
report their income properly, the IRS will add penalties and interest in hopes 
of collecting taxes due. That is out of your hands.
 
I hope you take this letter seriously, and constructively. My intent was not to 
harm DPC, nor you personally, Mr. Tackett. I don't mind tele marketing 
companies for doing legitimate business. Where the problem lies is that agents 
are leaving messages saying to the consumer that they won a prize, and call us 
back. That antic is illegal.  Instruct your agents of such fact, and continue 
to use your word, "finalist".
 == BEGIN telemarketing script ==
< ... snip ... >
_________________________________________________________________
Stay up to date on your PC, the Web, and your mobile phone with Windows Live.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093185mrt/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Metasploit 3.2 Offers More 'Evil Deeds'
Next by Date: Re: [Full-disclosure] Metasploit 3.2 Offers More 'Evil Deeds'
Previous by thread: Re: [Full-disclosure] Metasploit 3.2 Offers More 'Evil Deeds'
Next by thread: [Full-disclosure] security industry software license
Index(es):
- Date
- Thread