For the grizzled internet veterans out there, details on the seedy underworld of cyber-crime is nothing new. For the rest of us, let me present some of the sordid details. Have you wondered why you get so much spam and who is responsible for it? Surely it is just the equivalent of junk mail in our home mail box right?

Understanding there are Risks

Sadly enough, in many cases no. Spam, phishing emails, and spyware are just the tip of the iceberg for the many tools that cyber-criminals use these days to steal millions of dollars every year from every day people like us. How real is this threat? Consider this account and the level of detail that the criminal had to have to pull this off

It was July 2004 and Brian Campbell had been on Isla Mujeres off the coast of Cancun for three days for a relative’s wedding when he discovered he’d been scammed.

An American MBA student studying in Australia at the time, Campbell (not his real name) was accustomed to checking his investment portfolio daily over the internet. But the wedding distracted him a couple of days, and when he finally got online, he found he was locked out of his Schwab trading account.

He called Schwab and discovered that his user name and password had been changed. What’s more, $106,000 had recently been wired from his account to a Fortis bank account in Belgium. Campbell hadn’t requested the transfer.

Unknown to Campbell, a cyber thief who went by the nick “desertmack” had gained access to his e-mail account and had been watching him for weeks. The Mexico wedding was the break desertmack needed. He’d been hoping a little tequila and sunshine would distract Campbell from obsessively checking his brokerage account long enough to steal the money and send it to Brussels, where an accomplice would withdraw it.


A more complete account of the life of a cyber-thief turned FBI informant was written by Wired here.

Understanding the Depth

If this has your attention, then consider that Campbell’s account represents a detailed attack on a single individual. Where we are at risk are the large scale scams designed to capture information from thousands if not millions of consumers. A follow up article by Wired details how prevalent this is.

There was also a service called PhantomInfo, which consisted of a script that tapped into the computers of the ChoicePoint data broker. For $29 a month you could send unlimited e-mails to phantominfo@xanon.net containing the names of victims whose identity you wanted to steal; the program would search ChoicePoint’s database and reply with the victim’s Social Security number and current address.
“Today, it’s just normal, everyday stuff,” Thomas says. “But back then it was the first that we had seen of that kind.”

Did you catch that…”Today, it’s just normal, everyday stuff.”

The days of identity theft by lone individuals has been replaced by international organized crime. There have been several high profile busts that highlight how well organized these criminal elements are. Pavel Chistov was referenced in the above article as a key player that was busted. From an article in Pravda.ru

Investigators determined that Pavel Chistov created a website in August of 2002, which offered clients a variety of services. The criminals had client databases at their disposal, and it did not cost them much to use that information for counterfeit cards. The price of one fake card varied from $100 to $500.

So essentially, they can create a counterfeit version of your credit card and some cases ATM card and sell it for up to $500 to someone that will use it to run up charges to max out your credit card and clean out your bank account. In many cases the good purchased were resold at below market value to help cover their tracks and launder the money. So the criminal would buy a duplicate credit card and drain your account via online purchases and have them shipped to random drop off locations, turn around and sell the goods and pocket the cash in many time before you would notice. According to Thomas “…guys were making $100,000 a day.”

So what does this have to do with me receiving unwanted emails?

To answer that, let me ask, how do they get all this information? The data has to come from either the bank/financial system being compromised of which you have no control or it comes from your computer systems being compromised. While there have certainly been several high profile breaches in the financial systems. Visa and others have worked very hard to adopt a more secure and rigid standards and are enforcing them. This isn’t to say that they can’t be breached again but that they are now aware of the problem and are working to keep in under control. Further, there is little you can do to secure yourself in the system.

How to be Risk Adverse

What about your computer now? How do they get your personal information, such as, when you are going on vacation, what is your bank account number, PIN, Date of Birth, etc? To do this they often rely on tricking you into giving it to them willingly. Here is how:

Trojans – this refers to a method of tricking you into letting them have access to your computer. Simply viewing spam in the preview pane or going to a website can cause malicious code to run on computers that are not properly configured or don’t have the latest patches. That game, picture, or movie file your downloaded can just as easily be infected. This code can be used to install programs that spy on your email, web browser or even key strokes. You computer can also be used to attack other websites and harvest contacts from your address book for further attacks. Here are some examples.

The lesson is – keep your computer up to date with the latest OS patches and anti-virus software. Even with this, don’t open emails or install programs unless they are from a trusted source.

Phishing – this refers to emails that are designed to fool you into giving out information about yourself. Often they are emails from a bank that will tell you your password or PIN has been stolen and you need to log in and change it immediately. Simply click on the link below and you can reset it. That link takes you to a site with the banks name in the url, with all the graphics and text identical to your current banks page…except it isn’t. It is a site designed to fool you into giving out your username and password. Some have been sophisticated enough to event take that information and log you on to the real site so you will never know you put gave out your personal information to a cyber-thief. Judge for yourself how convincing these can be here and here.

The lesson is – never click on a link in an email that requires personal information. Go directly to the main site or, if you have any doubts, call customer service (not the number on the email but on your bank statement).

This is by no means comprehensive. I am working on follow-ups that detail these and others security concerns in more detail. It is a starting place to make readers aware that while the internet is a great resource for information, entertainment, and resources, it is also a place that can prey on the uninformed.

A few tips to help you on your way to better secure your internet experience:

1) Email is not secure

Never send personal information over email and when you receive passwords over email, change them.

2) Most web pages are not secure

Make sure you verify that the site you are about to input your user name and password is using SSL Encryption.

3) Passwords

If your password is in the dictionary, it is not secure. If you computer is at home go ahead and write your passwords down in a safe spot on your desk rather than use the same insecure password for every site. Here is a great article on creating secure passwords.

4) Secure your web browser and email client

If you use Microsoft go here for more help on securing your computer, yourself, and your family. Make sure you change your security settings so that you, by default, are set to not trust any site unless you specifically allow it. Also consider installing an alternate browser to Internet Explorer such as Firefox.

5) Make sure your kids know how to stay safe

Social networking sites are starting to blossom with kids and young adults wanting to socialize with each other, they are becoming targets. Every parent should at a minimum review these with their kids. To further assist parents, Onguardonline.gov is a site set up by the FTC to provide parents resources in helping their kids stay secure. Remember, kids can be especially vulnerable to Trojan schemes when they think they are getting emails to install games or visit websites from their peers.

Again, these are all pretty basic items. And while each point deserves more detailed accounts and descriptions, that will have to be another article.