Governor’s offices in four US states earlier this month received HP laptops that they hadn’t ordered, and that were bought with credit cards that had not been issued by the states to any of their employees
Governor’s offices in four states earlier this month received a handful of laptops in two shipments each that they had not ordered and that were bought with credit card numbers not associated with their offices or other state agencies.
State and federal investigators are looking into why governor’s offices of Vermont, Washington, West Virginia and Wyoming each received three to five Hewlett-Packard laptops that they had not ordered.
An informational e-mail sent out by the National Governors Association, alerting their members about the mysterious PC deliveries, also noted that HP had intercepted another delivery that was headed for a fifth state. A spokesperson with the association said in an interview that the organisation had been in contact with HP officials about the issue.
HP officials are not commenting on the situation other than to issue a statement that says that the company—which is the top PC vendor in the world—is “aware that fraudulent state government orders recently have been placed for small amounts of HP equipment. HP took prompt, corrective action to address the fraudulent orders and is working with law enforcement personnel on a criminal investigation.”
HP reportedly has contracts with each of the four states to supply computer equipment.
The laptops apparently were bought with credit card numbers not issued with the state. According to the National Governors Association’s e-mail, the computers sent to Vermont were paid using a credit card that was issued in Gov. Jim Douglas’ name, even though it wasn’t his credit card nor one that the state had issued to him.
Dennise Casey, a spokesperson for Douglas, said in an interview that Vermont received two shipments of two laptops each. The systems and pertinent information were turned over to the state’s attorney general’s office, Casey said.
She said state officials were unsure what to make of the deliveries when they arrived, given that the state hadn’t ordered them.
“Certainly the main reaction was curiosity because [officials didn’t know] why a couple of these computers had been delivered when no one had ordered them,” Casey said. “We’re really puzzled.”
She said that no one in the governor’s office had turned on any of the computers.
Roger Kay, an analyst with Endpoint Technologies Associates, said it’s hard to figure out who would benefit by running this kind of scam.
A fairly standard fraud is one where someone gets illegally obtained credit card numbers from a botnet operation, uses those numbers to buy computers from a vendor and then has the systems delivered to someplace where they could easily get a hold of them. The criminals then turn around and sell those systems on an online site, such as eBay, Kay said in an interview.
The goal there is to get something that can quickly be turned around for cash, he said.
In this instance, nothing that the fraud perpetrators are doing makes much sense, Kay said. Sending the laptops to a governor’s office makes it unlikely that the perpetrators will ever get their hands so the systems.
If the goal is to put some sort of root kit or malware into the laptops to infect the network, there are any number of easier and more reliable ways to do that, he said. Besides, there are bigger targets, such as financial institutions if the goal is money, and the CIA and NSA if the target is secrets.
“Why would anyone give a rat’s ass about state government?” Kay asked. “What do they have that anyone could possibly want?”
In addition, the states are fairly small ones, with the exception of Washington, he said. “There’s not enough money there [to justify the effort],” he said. “Why not target Connecticut or New York?”
It could be just a hoax done by hackers who aren’t looking to cause any real trouble, but again, the effort involved to find out enough about the states—which seem to have few things in common outside of their HP contracts and their place at the end of the alphabetised state list—to pull the trick seems extreme.
“So far, I haven’t been able to put a scenario in my head that’s worth the risk or the payment,” Kay said.