Security Expert Witness Services

 


Security and Crime News

Return to news menu

Cyber-crime and punishment: Nefarious characters roam the wild, wild Web

Source: Zwire.com
By: Keith Phucas

NORRISTOWN - January 12, 2005 - The Internet gives millions of people faster access to more information than at any time in human history. A few mouse clicks enables online users to buy a best-selling book, bid on baseball memorabilia or book a flight to Bora Bora.

The global system of linked computer networks has revolutionized the way people communicate with friends and family and the way they work, shop and play. According to America Online, some portion of its online subscriber membership - which totals 35 million - sent a staggering 1.5 billion instant messages Monday.

But computer network security specialists don't share the giddy enthusiasm about the Internet as ordinary online surfers.
Emory Simmons, vice president of information security at Wachovia bank, sees himself as a defender guarding the bank's network against cyber-intruders trying to launch attacks.

"The Internet is a pretty dirty place," he said. "If you hook up a personal computer to a modem, you have about 20 minutes before something infects it." Once the province of engineers and the technically savvy, today millions depend on Internet connections to send e-mail, pay their bills, bid in online auctions or download files of nude models.

As of July 2004, there were 201.6 million Internet users in the United States, according to Nielsen Ratings service, about 69 percent of the U.S. population. But security experts warn Internet users that cyber-bad guys - hackers, crackers and con artists - are lurking in the virtual shadows to find a "back door" into unsuspecting users' computer systems.

A hacker using network "sniffer" software can spy on network traffic that might include someone's computer user name, password and Internet protocol, or IP, number that would give the hacker access to computer systems and possibly financial information.

Most instant messages are not encrypted, which makes it easy for sniffers to eavesdrop on conversations. Spyware, software that gathers information about online users as they navigate the World Wide Web, is often bundled into software and downloaded unwittingly by Internet users.

Other cyber-saboteurs deface Web sites. Someone sabotaged the U.S. Department of Justice's page by writing "United States Department of Injustice" and inserting a swastika.

Other cyber-criminals engage in "spoofing" by creating phony look-alike Web sites that appear to be a well-known company's actual homepage. Their scam aims to fool people into disclosing confidential information that can then be used illegally. To make a spoofed site appear legitimate, the scammers typically recreate a site's familiar graphical interface and logo.

Most online e-commerce sites use encryption to prevent criminals from capturing and deciphering consumer credit-card account information. Once someone's personal information is stolen, the identity thief can go on a spending spree and ruin the victim's credit rating.

A padlock icon that appears in the lower right corner of an Internet vendor's Web pages lets users know their sales transaction will be encrypted and thus secure. However, criminal hackers have been known to fake the padlock icons as well and steal consumers' credit-card account information.

Unsolicited e-mail, or "spam," is the Internet equivalent of "junk mail" and every bit as irritating. Often, online subscribers open their mail to find dozens of spam e-mails crowding out their e-mail directories' legitimate messages.

Typically "spammers," the bane of all online subscribers, try to bait users into falling for "get rich quick" schemes or other scams.
"You can't keep up with it," cyber-security expert Lance Hawk said.
In November, Hawk spoke to a group of accountants attending a computer security conference at the Radisson Hotel in King of Prussia.

Even technically unsophisticated hackers, called "script-kiddies," can wreak havoc with computer networks by running automated programs they've downloaded from the Internet. Often these hackers are teenagers. "If you can operate a mouse, you can launch an attack," Hawk said. He likened the World Wide Web to the lawless Western territories of America's 19th-century past. "The 'www' stands for the wild, wild West," he said. "They haven't yet put a corral around it."

Let the bidder beware
The most popular Internet auction site, eBay, brings sellers of almost anything under the sun together with prospective buyers. Besides a dizzying variety of collectibles and memorabilia, sellers routinely offer planes, model trains and automobiles - even racecars. For the first nine months of this year, eBay's revenues increased 54 percent to $2.3 billion, according to Fortune.com. The PayPal escrow service enables eBay customers to send and receive payments securely online.

Not surprisingly, the auction site's meteoric rise has attracted scam artists. In 2003, Internet auction fraud topped the list of complaints reported to the FBI's Internet Crime Complaint Center (IC3).

Earlier this year, Arnold Engstrand was stunned when he received an e-mail message informing him that $678 had been paid out from his PayPal account to someone in the United Kingdom. But Engstrand hadn't bid on anything on eBay recently, and he was puzzled. Though the message appeared to be from eBay's PayPal service, he later discovered it was fraudulent.

"The message was from the thief," he said. After contacting PayPal, the Ridley Township resident concluded som eone had snatched his PayPal personal identification number. "Once they have the password, they can do anything to transfer funds," he said.

The experience had a chilling effect on Engstrand's future eBay buying habits. Now he keeps substantially less money in his auction account, he said.

Model train collector Rich Laver nearly lost $2,300 after bidding closed on a Lionel train set up for auction on eBay.
But Laver blames himself for being too eager to buy the train, not the online auction service.

The Lower Gwynedd man bid $2,301.99 on the train set, but a late bid was submitted for about $2,500, Laver recalled. However neither bid reached the seller's reserve amount of $3,000 - a threshold value acceptable for a sale - so the seller closed the bidding.

Later, a man identifying himself as the train seller contacted Laver to say he would accept his offer and told him to expect an e-mail confirmation from eBay confirming the deal.

This independent haggling by sellers and prospective buyers following auctions is commonplace, Laver said. "There's a lot of deal making outside of the bidding," he said. "Buy you take a risk if you deal outside of eBay." The offline negotiating strategy also saves the seller from having to pay a 4-percent fee to the auction company. But the man Laver believed was the seller was actually an imposter. However, Laver wasn't suspicious yet.

Next, Laver received an e-mail that he believed came from eBay, but the con man had actually spoofed the message - including the distinctive eBay logo - and directed the model train aficionado to wire the money through Western Union. "(He) made it so official-looking, that anyone would have sent the money," he said.

But when the con man called Laver repeatedly on the telephone to ask if he had wired the funds, he began to get suspicious.
The facts that the foreign-sounding caller seemed unconcerned about adding a shipping charge and was willing to absorb the Western Union fee raised a red flag, too.

"So I held off a day," he said. Eventually, Laver contacted the original seller through e-mail and figured out the solicitations were a hoax. Laver admitted he nearly fell for the scam. Now he's wiser and has set a limit on his PayPal account.

In 2003, eBay saw a rise in "phishing" scams that involved con artists sending e-mails purportedly from the auction company threatening to suspend customers unless they updated credit-card information. Online service providers and vendors advise customers not to give anyone a personal password or PIN under any circumstances.

Shaking consumer confidence
Online shoppers' fears of computer security threats may have reduced how much money they spent this holiday season.
Nearly six out of 10 consumers, or 58 percent, expressed their concerns about online shopping in a joint survey conducted by TNS and TRUSTe. That figure is up from 49 percent from last year's survey.

The leading reasons cited by a nationally representative sample of 1,071 respondents for reducing or halting their Internet buying included concerns about identity theft, credit-card theft, spyware and spam attacks. The FBI in Philadelphia fields plenty of consumer complaints about computer intrusions, but won't usually investigate computer viruses that vex individual computer users.

"We get complaints in the hundreds," Special Agent Chris Wilk said. "But we very rarely get involved." Instead, the federal law-enforcement agency focuses its substantial resources on corporations that have monetary losses of $200,000 or more.

In May 2000, the FBI, Department of Justice and National White Collar Crimes Center jointly created the Internet Fraud Complaint Center (IFCC) as a vehicle for online-fraud victims to register their experiences. The IFCC was renamed the Internet Crime Complaint Center in 2003. The IC3 processes and refers all reports it receives regardless of the alleged monetary loss and forwards them to law-enforcement agencies. Last year, 124,509 complaints were registered at iC3.gov, a 60 percent increase over 2002. The total dollar losses from all fraud reported to IC3 in 2003 was $125.6 million.

Though FBI Special Agent Norm Sanders admitted consumer fraud is a significant problem for consumers, he said purchasing merchandise with a credit card online is no more risky than a cardholder buying from a retail store in the King of Prussia mall.

"In the department stores, a credit card (authorization) goes through the same customer database as it does online," Sanders said. "If somebody does hack that database, they'll get your information anyway."

Keith Phucas can be reached at kphucas@timesherald.com or 610-272-2500, ext. 211.

 

 

Security Questions?

For more information, assistance, or a free consultation, Call our office at
(912) 441-2059, or

J. R. Roberts
Security Strategies
PO Box 279
Balsam, North Carolina
28707

(912) 441-2059

 


© J. R. Roberts, Security Strategies