Computer Crime Research Center

etc/8892.jpg

Crooks slither into Net's shady nooks and crannies

Date: October 21, 2004
Source: USA Today
By: Jon Swartz

Organized crime rings and petty thieves are flocking to the Internet like start-ups in the go-go '90s, federal authorities say — establishing a multibillion-dollar underground economy in just a few years.

"Willie Sutton used to say he robbed banks because that's where the money is," says FBI Agent Keith Lourdeau, an expert on cybercrime. "The same applies today to crooks and the Internet."

The Internet's growth as an economic engine, particularly for financial transactions, is feeding the felonious frenzy.

Lured by shoddy computer security and the ability to commit crimes from far-flung countries, the Russian mafia and other Eastern European gangs are plunging into spam, phishing schemes, cyberextortion and the trafficking of stolen goods online, authorities say. Many hire hackers in economically depressed countries, but a growing number are becoming computer savvy to do the dirty work themselves.

Crime syndicates and the Internet are a natural fit, security experts say. Both are global, thrive on flexible networks and require specialization. The Net has allowed offshore gangs to branch into other ventures while devising new ways to commit old crimes, such as money laundering and counterfeiting.

Criminals shop on illicit computer bulletin boards for stolen credit card numbers as they would for books on Amazon.com. They threaten devastating electronic attacks on Web sites unless they are paid. Online bank accounts are under siege. And millions of hijacked computers, or zombies — infected with malicious code under the control of a hacker without the owner's knowledge — perpetrate the schemes without a trail.

Consumers and businesses, as a consequence, lost at least $14 billion to digital thieves last year, although most of the crimes went undetected or unreported, experts say. Spam alone accounted for $10 billion, Ferris Research says. Fraud cost online merchants $2 billion more, Gartner Research says. And phishing — fraudulent e-mail messages and Web sites designed to trick consumers into divulging personal information — gouged consumers by $2 billion in the 12-month period ended in April, Gartner says.

The surge in cybercrime has triggered changes not only in criminal behavior but also in law enforcement.

The FBI, in the midst of beefing up its cyberdivision, is investigating 2,700 cybercrime-related cases nationwide, two-thirds of them opened in the past year. Of those cases, 346 individuals have been convicted.

"This is more sophisticated stuff than purse snatching," FBI Agent Tom Grasso says.

Crime.com

Computer crime has never been so lucrative. With the Internet as ubiquitous as cable TV, there are millions of potential victims banking and shopping online. Contributing to the chaos: security flaws in business, home and university computers, and few effective cybercrime laws in the USA and abroad.

What is more, homeland-security measures designed to tighten U.S. borders and fortify physical infrastructures may have drawn crime syndicates to technology, which is relatively invisible, security experts say. "Crooks like the Internet because it is less violent and carries lighter penalties than loan sharking and drugs," Grasso says.

What makes online endeavors particularly attractive is that crooks and their accomplices don't have to meet. They can collaborate across continents and exploit the computers of innocent bystanders to carry out their crimes. U.S. Rep. Mac Thornberry, R-Texas, chairman of the Homeland Security Committee's cybersecurity subcommittee, compares the problem to the rise of street gangs in the 1920s and 1930s.

Cybercrooks are focusing on:

•Extortion. What started out as a digital shakedown of gambling Web sites has expanded, federal authorities say. Nearly one-fifth of 100 small and midsize companies polled this summer say they have been targets of cyberextortion threats, according to a survey by Carnegie Mellon University's H. John Heinz III School of Public Policy and Management and InformationWeek magazine.

Banks and companies planning initial public stock offerings are the latest targets of shadowy hackers, who demand $20,000 to $50,000 for protection from distributed denial-of-service attacks, which bombard and paralyze a Web site with data. Often, the e-mail threats are issued shortly before an attack, demanding that cash be sent to a Western Union office overseas.

In July, young Russian hackers were arrested for operating an extortion ring that for nearly a year cost British banks as much as $73 million in lost business and damages, government officials in Russia told Itar-Tass news agency.

In an attack in the USA last month, the Web site of Authorize.Net, a processor of credit card transactions for thousands of small and midsize businesses, was hit for several days, disrupting service. Authorize.Net rejected several e-mails demanding a "significant amount" of money, says David Schwartz, a spokesman. An unknown number of zombie computers were used in the attack, he said. The FBI is investigating.

Authorize.Net downplayed the attacks, but some of its customers said the withering assaults were costly. "I lost $15,000," says David Hoekje, president of PartsGuy.com, an online retailer of heating and air-conditioning parts.

As cyberextortion grows, attacks are becoming more sophisticated. Some extortionists monitor how their targets defend themselves, so they can alter attacks. They enlist new zombie computers unfamiliar to the company under siege or change the type of data used in an electronic assault.

•Fraud. The most fertile online territory for crooks runs the gamut from credit card theft and phishing to electronic burglary schemes.

In one of the largest Internet fraud investigations, the FBI and international law-enforcement authorities in August obtained a federal grand-jury indictment of a suspected Romanian computer hacker and five Americans on charges they conspired to steal more than $10 million in computer equipment from distributor Ingram Micro in Santa Ana, Calif.

The indictment charges that Calin Mateias, 24, using the alias Dr. Mengele, hacked into Ingram's online ordering system and placed fraudulent orders for computer equipment. The order directed the equipment be sent to dozens of addresses throughout the USA.

Mateias may be extradited to the USA from Romania. The American suspects are awaiting trial.

Big banks and credit card companies are bearing the brunt of Internet-related fraud. More than 60% of computer hacks targeted financial institutions last year, says market researcher IDC. About 30 million credit card numbers have been stolen through computer-security breachessince 1999,resulting in $15 billion in losses, according to the FBI.

"It's like picking someone's pocket before they enter the bank," says Bill Burnham, managing partner at venture firm Softbank Capital Partners.

Banks are loath to discuss break-ins out of fear of spooking customers and are willing to quietly eat losses from fraud, says security consultant John Frazzini, a former U.S. Secret Service agent.

Federal authorities in the USA and Great Britain also note a sharp rise in phishing by organized crime as it recognizes how much money can be made with little or no overhead.

A three-year investigation by the FBI and England's National Hi-Tech Crime Unit has led to the arrest of 30 members of an Eastern European crime ring accused of dabbling in phishing and ID theft. The most recent bust was of a high-level member on June 4 who is allegedly in charge of the ring's money laundering, the Department of Justice says.

Another popular scam entails an elaborate shipping network for expensive goods purchased online with stolen credit cards. Fraudulent online buyers in West Africa have goods shipped to Europe, where an accomplice or legitimate delivery service re-ships the items to West Africa, FBI agents say. Re-shippers are recruited in chat rooms, online job postings and over the phone. They are either paid with counterfeit cashier's checks or allowed to keep some merchandise. Though the scheme requires a cash outlay, it is an inexpensive way to move stolen products without revealing the identity of the original buyer, agents say.

Working with the FBI, Nigerian officials recently seized more than $340,000 in illegally obtained online merchandise and recovered $115,000 in fraudulent cashier's checks issued against U.S. financial institutions. Nearly 20 people were arrested.

A legislative fix?

The computer-crime epidemic has set off a reorganization by agencies such as the FBI and Secret Service, as well as a flurry of activity in Congress. Nearly a year after the first federal anti-spam law, bills wending through the House and Senate would give cybercrime fighters more heft and would outlaw phishing and ban spyware, the irritating software that quietly monitors the activities of Internet users.

An anti-phishing bill recently introduced by Sen. Patrick Leahy, D-Vt., would make it a crime to phish. It carries a $250,000 fine and up to five years in jail.

On Oct. 7, the House passed the second bill in three days that would outlaw spyware. It carries a penalty of up to five years in prison for people convicted of installing such programs without a computer user's permission.

"We need to act quickly before this spirals even more out of control," says Rep. Thornberry, co-author of...


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo