The Internet has become an integral part of today's economy. As Internet use increases, so do security concerns. Criminals increasingly take advantage of system architectural flaws to perpetrate fraud and other related crimes. This paper provides an overview of several commonly encountered scenarios involving cybercrime. The authors further describe industry efforts to address these architectural flaws, including Trusted Platform Modules, which can be used to enable more secure system architectures and prevent fraud and identity theft.
Internet Crime Is On The Rise
Viruses. Worms. Hijacking. Spoofing. Phishing. Scamming. Hacking. This is the lexicon of cyber crime. It runs the gamut from bombarding servers with e-mail until they shut down to stealing the credit card numbers and identities of individuals. The number of complaints submitted to the Internet Fraud Complaint Center (IFCC) tripled during 2002 to 75,000, and these crimes resulted in $54 million in consumer losses. An additional 500,000 to 700,000 Americans have their identities stolen each year; 70% of these victims have e-mail contact with the perpetrators. The cost of worms, viruses and hacking crimes is in the billions of dollars each year.
There are two basic classes of internet crimes: those in which the victim unwittingly participates, and those in which a hole in network security provides an opportunity for a criminal to steal information ("hack") or release a "worm." Internet auction scams, hijacking and viruses require victim participation and take advantage of the "trust" the victim has in the authenticity of a Web site or the identity of an e-mail author.
In Internet auction scams, the criminal steals an otherwise valid identity to sell non-existent merchandise or creates a fake escrow account to acquire merchandise without paying for it. The victim trusts that the seller or the escrow account is genuine and either pays for merchandise that does not exist or ships merchandise that will never be paid for. One Connecticut woman used the fake ID method to steal $880,000 from 300 victims before getting caught.
Hijacking is a scam in which the victim receives an e-mail requesting that sensitive financial information be submitted to a well-known and trusted Web site to resolve security issues (e.g., the PayPal® or Best Buy® scams from the summer of 2003). Victims are reached via "phishing" expeditions that send e-mails to millions of randomly generated addresses at known domains. A few of the addresses are valid and reach real people. The e-mail asks the victim to login to the trusted Web site. The seemingly authentic Web site to which the victim responds is actually a fake ("hijacked" or "spoofed") site that emulates and is linked to, but is not the trusted Web site. In the Best Buy scam, customers were told their credit card numbers had been stolen and were asked to submit sensitive information. In the PayPal scam, users of eBay®'s service were asked to verify their information by providing credit card, bank account and personal identification numbers. Since the hijacked sites were linked to and looked like the actual sites, they appeared to be trustworthy. But they were not. The victims' identities were stolen because they trusted something they shouldn't have.
Viruses are computer programs that often arrive as attachments to e-mails that appear to be from a trusted source–someone the victim knows. However, when the victim clicks on the attachment, a havoc-wreaking program is executed that may do a little or a lot of damage to the victim's computer or network by creating files, erasing files or shutting down the computer. More importantly, the virus e-mails itself to the entire address book on the victim's computer, under the victim's signature. The next victim believes he or she is receiving an attachment from a trusted source. The recent Sobig.F virus infected 7,000 computers with e-mails entitled "Thank you," "Your details," "My details," "Approved," "Wicked screen saver" and "That Movie." The attachments that launched the virus were named application.pif, details.pif, and thank-you.pif. In addition to mailing itself to each victim's address book, the Sobig.F.pif file instructed infected machines to download a program of unknown function.
Spam is more than just a pain; it is also a vehicle for Internet fraud that includes "work at home," "get out of debt" and "get rich quick" schemes. The most famous spam fraud is the "Nigerian letter" in which the recipient is offered several million dollars to help a Nigerian official transfer tens of millions of dollars out of that country. Before collecting the millions, the victim must deposit a nominal sum (averaging $3,864 per victim) in an account. Of course, the victim never sees his or her money again.
All of the above crimes require that the victims actively participate in the perpetration of the crime. The victims are duped because there is no good way to authenticate the identity of the e-mail source or Web site. Victims trust when they shouldn't.
Those crimes that require no direct cooperation from the victim include hacking and worms. Both types of crime take advantage of weaknesses in network security or server software.
In hacking, a real person gains control of someone else's computer and steals data. In early 2003, eight million credit card account numbers were stolen from MasterCard®, VISA® and American Express®. Earlier in 2002, credit information on 30,000 customers of Ford Motor Credit was stolen, resulting in financial losses of $2.7 million and the nightmare of repairing ruined credit records. The average victim of credit card theft loses $120.
Worms infect large networks by "worming" their way through holes in a network's security. Since a worm requires no human intervention, it is much more difficult to prevent or detect. Once inside, worms erase and create files, steal passwords, create rogue e-mail servers that continue to spam, crash the network or do other mischief. They also replicate themselves and spread through other networks. In August of 2003, the "Blaster" worm is said to have infected as many as a million computers worldwide within a week. The infected computers were to be used to send millions of e-mails (denial of service attack) to Microsoft®'s network and shut it down. The infected computers also "registered" with the worm's originator so he could have future access to them. Blaster and related worms crashed Air Canada®'s phone reservation system, CSX rail service and the Maryland State Department of Motor Vehicles. Blaster is estimated to have cost North American businesses $1.3 billion.
Internet crimes are getting bolder, more sophisticated and more expensive. It's time for both software and hardware vendors to take effective measures to stop the bleeding.