Cyber Scams Creativity At Its Worst

May 23, 2005
Print
Text Size:
A A

COMSTOCK PARK — Kore/Hi Com Inc. sales consultant Michael Frey had never received a phone call via Teletype for the Deaf. An operator explained to him how the service worked: There was a hearing-impaired man on the other end who could not use a telephone. She would relay his typed messages to Frey, and type Frey’s spoken words for transmission to the man’s TTD device.

Not only was the man hearing impaired, but a foreigner, as well. He wanted to buy some laptops and had been referred to the company through a friend. The translation quickly became cumbersome and Frey suggested they continue the discussion through e-mail.

The first e-mail revealed that the prospect, Larry Gate of New Jersey, wanted three Toshiba laptops, or whatever was in stock.

“We need it urgent,” Gate wrote. “This is a new orphanage department welfare schools which has been established and I will handle the shipping with my UPS account number since it is located in Ghana …”

Gate went on to request the total cost to be charged on his Visa, and urged Frey for a response as soon as possible.

“It was obviously a scam,” Frey said. “They were taking advantage of people’s good hearts. That was the reason it got that far in the first place; we didn’t want to hang up on the poor handicapped guy.”

The crux of the scam was to aim for small companies that would appreciate falling into a moderately large order. Ironically, resale is only a portion of Kore/Hi Com’s business; IT security management is its core competency.

So the firm decided to string Gate along for a bit.

Kore/Hi Com has no connections in New Jersey, so Frey inquired as to how Gate had chosen his firm. His friend Michael Douglas had referred him to its Web site, he said.

When his credit card turned out to be over limit, not to mention stolen, Gate e-mailed two separate numbers and said to split the cost between them. Both were also stolen cards.

Another example of Internet fraud recently popped up at Star Theatre. In front of the registers at the ticket counter and in various places throughout the lobby were notices stating that a popular “free popcorn” coupon available online was counterfeit. Apparently, the date on an obsolete coupon had been altered and then proliferated across a mass of free coupon sites. At the time of publication, the coupon was still available on a dozen different sites, with an accompanying discussion on one (www.spoofee.com) concerning its authenticity.

“The ways people are launching these attacks are becoming more sophisticated,” said Anthony Wojcik, director of the Cybersecurity Initiative at Michigan State University. “It’s more and more of the same, but they become more sophisticated. Technology is becoming so pervasive, it requires the consumer to understand a lot more to really safeguard him or herself.”

The most prevalent of today’s scams are old punch lines with new leads. The Ghana computer scenario is a hybrid version of the Nigerian bank scheme of two years ago — an e-mail version of the most common confidence game of the past century offering huge return for small investment — and age-old currency fraud, wherein a retailer or individual discovers later that his receivable was counterfeit, stolen or nonexistent.

The flip side of that is as old as Jack and his magic beans: A consumer purchases goods that prove to be fake, broken or nonexistent. The world’s largest Internet auction site, eBay, is also the world’s largest channel for consumer fraud. Nearly a quarter of all online purchases in the United States occur on eBay, with estimates that as much as 5 percent of those are frauds.

Society as a whole has grown accustomed to these crimes. Common sense weeds out the majority of scams on the street. As Wojcik notes, computers and the Internet until recently were accessible only to the most advanced criminals.

Today, there is still only a small — albeit growing — niche of programmers writing computer viruses and worms.

“These are problems, and there is a significant cost to them. When you add it up, one of the recent worms caused $64 billion worth of damage,” said Wojcik. “Right here on campus, our Wharton Center of Performance Arts had its record base hacked into. But the impact on the individual is not as prevalent as these new types of attacks.”

In only the past two years, lowlifes and common criminals have developed e-commerce models. First there was spam; now there are phish.

Roughly a year ago, the nation became aware of the use of fraudulent Web sites designed to mimic realistic sites of common service providers such as Citibank and PayPal. A spam e-mail with a fake letter explaining a bank error or account crisis urgently directed individuals to the site. Once there, consumers were asked for private information such as e-mail addresses and credit card and Social Security numbers.

This practice is a subset of identity theft. Like other scams, identity theft is not new, but in the electronic age it has reached new heights (see related story). Identity information is traded and sold on underground auction sites and one leak could spawn years of hassle. Millions of consumers are at risk through no action of their own. One instance involved Wojcik’s daughter’s credit card number; he was notified of a series of unusual purchases only days prior to speaking with the Business Journal.

“The most difficult thing about educating yourself about these threats is that it changes so quickly,” said Scott Montgomery, CPR’s director of security. “Awareness is so extremely important. The work I was doing a year ago isn’t as valuable today.”

Unlike virus writers and most hackers, identity theft is driven by financial gain. Its practitioners are constantly seeking new markets and distribution channels.

IT security consultants like CPR now battle spyware and keystroke loggers along with viruses and hackers. These new threats are essentially viruses that record data from a computer and transmit it to its author. The first of these weren’t malicious but commercial, aimed at collecting consumer data. Most versions today, however, are malicious.

The Anti-Phishing Working Group released a report in March noting that attacks were consistently reliant on keystroke loggers. Administrative passwords open the door to hackers, while private information is used for identity theft.

Last week, CNET News detailed a new generation of phishing attack discovered by security company Cyota. Targeting the customers of large financial institutions, the scheme takes aim at individual customers. Using fragmented account information compiled through spyware or trade, the attacker sends a custom e-mail to each prospect. The recipient is directed to a mimicked site and is asked for additional information, including the credit card’s CVD code, the series of authenticating digits on the back of the card.

“So far, the success rates that we’ve seen are amazing,” Cyota co-founder Amir Orad told CNET. “People are expecting a crude attack that tries to steal their information; they’re not expecting to see this much real information as part of the attack.”

Of further concern to businesses is the brand erosion that phishing causes: Since 2003, 149 different brands have been attacked, including 64 in February alone, according to the Anti-Phishing report. In the week before presstime, the group identified 710 active Web sites. Of the past 10 weeks, the lowest reported amount of new phishing sites in a week was 669.    

Recent Articles by Daniel Schoonmaker

Editor's Picks

Comments powered by Disqus