WebCrime
HORROR STORIES
Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

Cyber-crime and punishment:

Nefarious characters roam the wild, wild Web

Date: January 12, 2005
Source: Zwire.com
By: Keith Phucas

Editor's note: This is the first part of a four-part series examining

criminal activity on the Internet and efforts to stop it.

NORRISTOWN - The Internet gives millions of people faster access

to more information than at any time in human history. A few mouse

clicks enables online users to buy a best-selling book, bid on baseball

memorabilia or book a flight to Bora Bora.

The global system of linked computer networks has revolutionized the

way people communicate with friends and family and the way they

work, shop and play.

According to America Online, some portion of its online subscriber

membership - which totals 35 million - sent a staggering 1.5 billion

instant messages Monday.

But computer network security specialists don't share the giddy

enthusiasm about the Internet as ordinary online surfers.

Emory Simmons, vice president of information security at Wachovia

bank, sees himself as a defender guarding the bank's network against

cyber-intruders trying to launch attacks.

"The Internet is a pretty dirty place," he said. "If you hook up a

personal computer to a modem, you have about 20 minutes before

something infects it."

Once the province of engineers and the technically savvy, today

millions depend on Internet connections to send e-mail, pay their bills,

bid in online auctions or download files of nude models.

As of July 2004, there were 201.6 million Internet users in the United

States, according to Nielsen Ratings service, about 69 percent of the

U.S. population.

But security experts warn Internet users that cyber-bad guys -

hackers, crackers and con artists - are lurking in the virtual shadows

to find a "back door" into unsuspecting users' computer systems.

A hacker using network "sniffer" software can spy on network traffic

that might include someone's computer user name, password and

Internet protocol, or IP, number that would give the hacker access to

computer systems and possibly financial information.

Most instant messages are not encrypted, which makes it easy for

sniffers to eavesdrop on conversations.

Spyware, software that gathers information about online users as they

navigate the World Wide Web, is often bundled into software and

downloaded unwittingly by Internet users.

Other cyber-saboteurs deface Web sites. Someone sabotaged the

U.S. Department of Justice's page by writing "United States

Department of Injustice" and inserting a swastika.

Other cyber-criminals engage in "spoofing" by creating phony

look-alike Web sites that appear to be a well-known company's actual

homepage. Their scam aims to fool people into disclosing confidential

information that can then be used illegally. To make a spoofed site

appear legitimate, the scammers typically recreate a site's familiar

graphical interface and logo.

Most online e-commerce sites use encryption to prevent criminals

from capturing and deciphering consumer credit-card account

information.
Once someone's personal information is stolen, the identity thief can

go on a spending spree and ruin the victim's credit rating.

A padlock icon that appears in the lower right corner of an Internet

vendor's Web pages lets users know their sales transaction will be

encrypted and thus secure. However, criminal hackers have been

known to fake the padlock icons as well and steal consumers'

credit-card account information.

Unsolicited e-mail, or "spam," is the Internet equivalent of "junk

mail" and every bit as irritating. Often, online subscribers open their

mail to find dozens of spam e-mails crowding out their e-mail

directories' legitimate messages.

Typically "spammers," the bane of all online subscribers, try to bait

users into falling for "get rich quick" schemes or other scams.
"You can't keep up with it," cyber-security expert Lance Hawk said.
In November, Hawk spoke to a group of accountants attending a

computer security conference at the Radisson Hotel in King of

Prussia.

Even technically unsophisticated hackers, called "script-kiddies," can

wreak havoc with computer networks by running automated programs

they've downloaded from the Internet. Often these hackers are

teenagers.
"If you can operate a mouse, you can launch an attack," Hawk said.
He likened the World Wide Web to the lawless Western territories of

America's 19th-century past.

"The 'www' stands for the wild, wild West," he said. "They haven't

yet put a corral around it."

Let the bidder beware

The most popular Internet auction site, eBay, brings sellers of almost

anything under the sun together with prospective buyers. Besides a

dizzying variety of collectibles and memorabilia, sellers routinely offer

planes, model trains and automobiles - even racecars.

For the first nine months of this year, eBay's revenues increased 54

percent to $2.3 billion, according to Fortune.com.

The PayPal escrow service enables eBay customers to send and

receive payments securely online.

Not surprisingly, the auction site's meteoric rise has attracted scam

artists.

In 2003, Internet auction fraud topped the list of complaints reported

to the FBI's Internet Crime Complaint Center (IC3).

Earlier this year, Arnold Engstrand was stunned when he received an

e-mail message informing him that $678 had been paid out from his

PayPal account to someone in the United Kingdom.

But Engstrand hadn't bid on anything on eBay recently, and he was

puzzled. Though the message appeared to be from eBay's PayPal

service, he later discovered it was fraudulent.

"The message was from the thief," he said.

After contacting PayPal, the Ridley Township resident concluded

someone had snatched his PayPal personal identification number.
"Once they have the password, they can do anything to transfer

funds," he said.

The experience had a chilling effect on Engstrand's future eBay

buying habits. Now he keeps substantially less money in his auction

account, he said.

Model train collector Rich Laver nearly lost $2,300 after bidding

closed on a Lionel train set up for auction on eBay.
But Laver blames himself for being too eager to buy the train, not the

online auction service.

The Lower Gwynedd man bid $2,301.99 on the train set, but a late bid

was submitted for about $2,500, Laver recalled.

However neither bid reached the seller's reserve amount of $3,000 - a

threshold value acceptable for a sale - so the seller closed the bidding.

Later, a man identifying himself as the train seller contacted Laver to

say he would accept his offer and told him to expect an e-mail

confirmation from eBay confirming the deal.

This independent haggling by sellers and prospective buyers following

auctions is commonplace, Laver said.
"There's a lot of deal making outside of the bidding," he said. "Buy

you take a risk if you deal outside of eBay."

The offline negotiating strategy also saves the seller from having to

pay a 4-percent fee to the auction company.

But the man Laver believed was the seller was actually an imposter.

However, Laver wasn't suspicious yet.

Next, Laver received an e-mail that he believed came from eBay, but

the con man had actually spoofed the message - including the

distinctive eBay logo - and directed the model train aficionado to wire

the money through Western Union.

"(He) made it so official-looking, that anyone would have sent the

money," he said.

But when the con man called Laver repeatedly on the telephone to

ask if he had wired the funds, he began to get suspicious.

The facts that the foreign-sounding caller seemed unconcerned about

adding a shipping charge and was willing to absorb the Western Union

fee raised a red flag, too.

"So I held off a day," he said.
Eventually, Laver contacted the original seller through e-mail and

figured out the solicitations were a hoax.

Laver admitted he nearly fell for the scam. Now he's wiser and has

set a limit on his PayPal account.

In 2003, eBay saw a rise in "phishing" scams that involved con artists

sending e-mails purportedly from the auction company threatening to

suspend customers unless they updated credit-card information.
Online service providers and vendors advise customers not to give

anyone a personal password or PIN under any circumstances.

Shaking consumer confidence

Online shoppers' fears of computer security threats may have

reduced how much money they spent this holiday season.
Nearly six out of 10 consumers, or 58 percent, expressed their

concerns about online shopping in a joint survey conducted by TNS

and TRUSTe. That figure is up from 49 percent from last year's

survey.

The leading reasons cited by a nationally representative sample of

1,071 respondents for reducing or halting their Internet buying

included concerns about identity theft, credit-card theft, spyware and

spam attacks.

The FBI in Philadelphia fields plenty of consumer complaints about

computer intrusions, but won't usually investigate computer viruses

that vex individual computer users.

"We get complaints in the hundreds," Special Agent Chris Wilk said.

"But we very rarely get involved."

Instead, the federal law-enforcement agency focuses its substantial

resources on corporations that have monetary losses of $200,000 or

more.

In May 2000, the FBI, Department of Justice and National White

Collar Crimes Center jointly created the Internet Fraud Complaint

Center (IFCC) as a vehicle for online-fraud victims to register their

experiences.

The IFCC was renamed the Internet Crime Complaint Center in 2003.

The IC3 processes and refers all reports it receives regardless of the

alleged monetary loss and forwards them to law-enforcement

agencies.

Last year, 124,509 complaints were registered at iC3.gov, a 60

percent increase over 2002. The total dollar losses from all fraud

reported to IC3 in 2003 was $125.6 million.

Though FBI Special Agent Norm Sanders admitted consumer fraud is

a significant problem for consumers, he said purchasing merchandise

with a credit card online is no more risky than a cardholder buying

from a retail store in the King of Prussia mall.

"In the department stores, a credit card (authorization) goes through

the same customer database as it does online," Sanders said. "If

somebody does hack that database, they'll get your information

anyway."

Keith Phucas can be reached at kphucas@timesherald.com or

610-272-2500, ext. 211.

HOME

HOME