Cyber-crime and punishment:
Nefarious characters roam the wild, wild Web
Date: January 12, 2005
By: Keith Phucas
Editor's note: This is the first part of a four-part series examining
criminal activity on the Internet and efforts to stop it.
NORRISTOWN - The Internet gives millions of people faster access
to more information than at any time in human history. A few mouse
clicks enables online users to buy a best-selling book, bid on baseball
memorabilia or book a flight to Bora Bora.
The global system of linked computer networks has revolutionized the
way people communicate with friends and family and the way they
work, shop and play.
According to America Online, some portion of its online subscriber
membership - which totals 35 million - sent a staggering 1.5 billion
instant messages Monday.
But computer network security specialists don't share the giddy
enthusiasm about the Internet as ordinary online surfers.
Emory Simmons, vice president of information security at Wachovia
bank, sees himself as a defender guarding the bank's network against
cyber-intruders trying to launch attacks.
"The Internet is a pretty dirty place," he said. "If you hook up a
personal computer to a modem, you have about 20 minutes before
something infects it."
Once the province of engineers and the technically savvy, today
millions depend on Internet connections to send e-mail, pay their bills,
bid in online auctions or download files of nude models.
As of July 2004, there were 201.6 million Internet users in the United
States, according to Nielsen Ratings service, about 69 percent of the
But security experts warn Internet users that cyber-bad guys -
hackers, crackers and con artists - are lurking in the virtual shadows
to find a "back door" into unsuspecting users' computer systems.
A hacker using network "sniffer" software can spy on network traffic
that might include someone's computer user name, password and
Internet protocol, or IP, number that would give the hacker access to
computer systems and possibly financial information.
Most instant messages are not encrypted, which makes it easy for
sniffers to eavesdrop on conversations.
Spyware, software that gathers information about online users as they
navigate the World Wide Web, is often bundled into software and
downloaded unwittingly by Internet users.
Other cyber-saboteurs deface Web sites. Someone sabotaged the
U.S. Department of Justice's page by writing "United States
Department of Injustice" and inserting a swastika.
Other cyber-criminals engage in "spoofing" by creating phony
look-alike Web sites that appear to be a well-known company's actual
homepage. Their scam aims to fool people into disclosing confidential
information that can then be used illegally. To make a spoofed site
appear legitimate, the scammers typically recreate a site's familiar
graphical interface and logo.
Most online e-commerce sites use encryption to prevent criminals
from capturing and deciphering consumer credit-card account
Once someone's personal information is stolen, the identity thief can
go on a spending spree and ruin the victim's credit rating.
A padlock icon that appears in the lower right corner of an Internet
vendor's Web pages lets users know their sales transaction will be
encrypted and thus secure. However, criminal hackers have been
known to fake the padlock icons as well and steal consumers'
credit-card account information.
Unsolicited e-mail, or "spam," is the Internet equivalent of "junk
mail" and every bit as irritating. Often, online subscribers open their
mail to find dozens of spam e-mails crowding out their e-mail
directories' legitimate messages.
Typically "spammers," the bane of all online subscribers, try to bait
users into falling for "get rich quick" schemes or other scams.
"You can't keep up with it," cyber-security expert Lance Hawk said.
In November, Hawk spoke to a group of accountants attending a
computer security conference at the Radisson Hotel in King of
Even technically unsophisticated hackers, called "script-kiddies," can
wreak havoc with computer networks by running automated programs
they've downloaded from the Internet. Often these hackers are
"If you can operate a mouse, you can launch an attack," Hawk said.
He likened the World Wide Web to the lawless Western territories of
America's 19th-century past.
"The 'www' stands for the wild, wild West," he said. "They haven't
yet put a corral around it."
Let the bidder beware
The most popular Internet auction site, eBay, brings sellers of almost
anything under the sun together with prospective buyers. Besides a
dizzying variety of collectibles and memorabilia, sellers routinely offer
planes, model trains and automobiles - even racecars.
For the first nine months of this year, eBay's revenues increased 54
percent to $2.3 billion, according to Fortune.com.
The PayPal escrow service enables eBay customers to send and
receive payments securely online.
Not surprisingly, the auction site's meteoric rise has attracted scam
In 2003, Internet auction fraud topped the list of complaints reported
to the FBI's Internet Crime Complaint Center (IC3).
Earlier this year, Arnold Engstrand was stunned when he received an
e-mail message informing him that $678 had been paid out from his
PayPal account to someone in the United Kingdom.
But Engstrand hadn't bid on anything on eBay recently, and he was
puzzled. Though the message appeared to be from eBay's PayPal
service, he later discovered it was fraudulent.
"The message was from the thief," he said.
After contacting PayPal, the Ridley Township resident concluded
someone had snatched his PayPal personal identification number.
"Once they have the password, they can do anything to transfer
funds," he said.
The experience had a chilling effect on Engstrand's future eBay
buying habits. Now he keeps substantially less money in his auction
account, he said.
Model train collector Rich Laver nearly lost $2,300 after bidding
closed on a Lionel train set up for auction on eBay.
But Laver blames himself for being too eager to buy the train, not the
online auction service.
The Lower Gwynedd man bid $2,301.99 on the train set, but a late bid
was submitted for about $2,500, Laver recalled.
However neither bid reached the seller's reserve amount of $3,000 - a
threshold value acceptable for a sale - so the seller closed the bidding.
Later, a man identifying himself as the train seller contacted Laver to
say he would accept his offer and told him to expect an e-mail
confirmation from eBay confirming the deal.
This independent haggling by sellers and prospective buyers following
auctions is commonplace, Laver said.
"There's a lot of deal making outside of the bidding," he said. "Buy
you take a risk if you deal outside of eBay."
The offline negotiating strategy also saves the seller from having to
pay a 4-percent fee to the auction company.
But the man Laver believed was the seller was actually an imposter.
However, Laver wasn't suspicious yet.
Next, Laver received an e-mail that he believed came from eBay, but
the con man had actually spoofed the message - including the
distinctive eBay logo - and directed the model train aficionado to wire
the money through Western Union.
"(He) made it so official-looking, that anyone would have sent the
money," he said.
But when the con man called Laver repeatedly on the telephone to
ask if he had wired the funds, he began to get suspicious.
The facts that the foreign-sounding caller seemed unconcerned about
adding a shipping charge and was willing to absorb the Western Union
fee raised a red flag, too.
"So I held off a day," he said.
Eventually, Laver contacted the original seller through e-mail and
figured out the solicitations were a hoax.
Laver admitted he nearly fell for the scam. Now he's wiser and has
set a limit on his PayPal account.
In 2003, eBay saw a rise in "phishing" scams that involved con artists
sending e-mails purportedly from the auction company threatening to
suspend customers unless they updated credit-card information.
Online service providers and vendors advise customers not to give
anyone a personal password or PIN under any circumstances.
Shaking consumer confidence
Online shoppers' fears of computer security threats may have
reduced how much money they spent this holiday season.
Nearly six out of 10 consumers, or 58 percent, expressed their
concerns about online shopping in a joint survey conducted by TNS
and TRUSTe. That figure is up from 49 percent from last year's
The leading reasons cited by a nationally representative sample of
1,071 respondents for reducing or halting their Internet buying
included concerns about identity theft, credit-card theft, spyware and
The FBI in Philadelphia fields plenty of consumer complaints about
computer intrusions, but won't usually investigate computer viruses
that vex individual computer users.
"We get complaints in the hundreds," Special Agent Chris Wilk said.
"But we very rarely get involved."
Instead, the federal law-enforcement agency focuses its substantial
resources on corporations that have monetary losses of $200,000 or
In May 2000, the FBI, Department of Justice and National White
Collar Crimes Center jointly created the Internet Fraud Complaint
Center (IFCC) as a vehicle for online-fraud victims to register their
The IFCC was renamed the Internet Crime Complaint Center in 2003.
The IC3 processes and refers all reports it receives regardless of the
alleged monetary loss and forwards them to law-enforcement
Last year, 124,509 complaints were registered at iC3.gov, a 60
percent increase over 2002. The total dollar losses from all fraud
reported to IC3 in 2003 was $125.6 million.
Though FBI Special Agent Norm Sanders admitted consumer fraud is
a significant problem for consumers, he said purchasing merchandise
with a credit card online is no more risky than a cardholder buying
from a retail store in the King of Prussia mall.
"In the department stores, a credit card (authorization) goes through
the same customer database as it does online," Sanders said. "If
somebody does hack that database, they'll get your information
Keith Phucas can be reached at email@example.com or
610-272-2500, ext. 211.