The Dark Side and the Fool's Gold
From first pranks to organised crime
As seen from early accounts, pranks and practical jokes were an integral part of the original hacker culture - even the term 'hack' had an early meaning of 'practical joke' (see also http://hacks.mit.edu). Materially benefitting from others' gullibility was, however, a taboo for a long time. Still as the commercial world broke into the primal 'hacker paradise', these rules started to change.
One of the early hackers entering the 'grey zone' was probably Cap'n Crunch (aka John Draper) who discovered in 1971 that a toy whistle can be used to generate the 2600Hz tone used in long-distance calls in the U.S. He built the first blue box that allowed to make calls for free (actually he was not the first person to exploit the 2600Hz tone - the first recorded case was Joe Engressia in 1969, who, being blind, discovered that by whistling a certain tone, he was able to make free calls). Another early device is described by Kevin Mitnick in his The Art of Deception - this mimicked the falling sound of the coin, allowing free calls in payphone (Mitnick also describes his hack on the local bus system, allowing him free rides).
During the following years, malicious activity grew on the net, but these were mostly cracking cases motivated by excessive curiosity (although the cracker groups like the Legion of Doom were born already in the 80s). The year 1994, however, brings along some notable milestones towards online crime. First the first commercially motivated, unsolicited e-mail message appeared to newsgroups and got labeled as 'spam'. Second, the first case of large-scale online theft happened as a young Russian known as Vladimir Levin stole 10 million US dollars from Citibank (was later caught and imprisoned, but 400 000$ disappeared). And finally, this was the year of arrest of possibly the most feared cracker in history, Kevin Mitnick - although Mitnick was not primarily engaged in online theft, he had gathered 20 000 credit card numbers at the time of his arrest (some of which were likely used to cover his 'running costs'; yet some sources strongly disagree with this).
The first real Internet frauds probably occurred soon after the Net was discovered as a marketing and trade channel. In turn, this happened when the critical mass of users was reached due to Internet reaching mainstream. The http://www.fraud.org website has compiled fraud statistics since 1997 - this gives a good overview of the trends. As for 2007 (the most recent release at the time of writing), the largest share of online frauds are the fake check frauds at 29% and the merchandise scams (goods are paid for but not delivered) at 23%, making it 52% of all registered cases, average financial losses being respectively at about 3.3 and 1.1 thousand USD. Meanwhile, the infamous 'Nigerian letters' have a relatively small 'market share' of 11 per cent, but the average loss exceeds 4 000 USD (this is probably due to very large sums promised to victims as well as very experienced criminals running the 'industry').
Social engineering over the Net
The first frauds were simple - someone offered some goods with very favourable prices, asked for payment in advance and never delivered. This kind of activity can be still found in the Net, but as the online trade became more organised with appearance of larger players (eBay, Amazon etc), it became more difficult to get away. In most places, failure to play fair results in banishment of the fraudster, who needs to find another place to practice. This kind of fraudsters generally prefer popular goods with small dimensions, e.g. jewelry, watches, cameras etc. To reach potential clients, many fraudsters either practice spamming themselves or order "mass marketing" from dedicated spammers.
However, this kind of fraud is relatively small-scale compared to the credit card frauds. This sector is rapidly increasing and is connected to the spyware makers - various malware like Trojan horses and keyloggers are used to obtain credit card information, which then is used to purchase various goods over the Net. But spyware is not the only way to get credit card data - methods include stealing of credit cards, intrusion to companies' databases, stealing computers containing valuable data and many kinds of social engineering. Even the so-called 'secure transactions' are not always secure (somehow it seems to be a bigger problem in the US due to the specific features of business practices and transfer systems) - while most of the online transactions are encrypted nowadays, it is possible to intercept the transfer before the encryption is applied (e.g. hijacking the user's computer with a Trojan horse).
The features of the US banking system (especially the use of cheques which are still a widespread payment option in the US, while being much less used in the UK and France and long gone in Northern Europe) allow fraudsters to use social engineering to obtain wire transfer information from the merchants, which is then used to generate fake cheques to pay for goods.
Another largely US-specific feature that has increasingly been exploited during the recent years is postal money orders. These are cheques which are meant for sending by ordinary post system. Although they are designed to be relatively secure (using similar technologies with regular bank notes), they have been increasingly counterfeited by criminals. Having a quite long and relatively 'clean' history, people may well be less suspicious than with bank notes. Like in many other kinds of online crime, the main sources tend to be West Africa and Eastern Europe.
Car scams, on the other hand, have been found all over the net. These may include pretending to sell a car and convincing the potential buyer to send in some money 'to cover the transaction costs'. It is also possible to do a typical 'money-change' scam with large-sum counterfeited cheques: to send in a fake cheque for e.g. $35000 for a $31000 car and ask the victim to return the balance of $4000. Later, the cheque will bounce and the balance money is lost. There are also other options.
There are also dating scams which involve 'friends' targetting someone via various related websites. After a brief 'friendship' period the victim will be asked for some money to cover the travel costs. Although these sums might be smaller, people have lost substantial amounds as well. Probably the most infamous are the 'Russian bride' scams but similar things do occur elsewhere as well.
As already said, all these types are more based on a varying degree of social engineering than pure technology-based identity theft (using sniffers, keyloggers etc).
Credit card frauds
Credit card frauds are a subclass of identity theft. The most straightforward way is to send out (by e-mail, often spammed) inquiries to various merchants, asking if they accept credit cards. Stolen credit card data is then used to pay for the goods - later, the seller will usually receive a chargeback demand from the credit card company and will lose his/her money.
The more ingenious schemes involve getting a 're-shipper' somewhere 'in the West'. It might be a woman who were targetted over a chat or dating service and promised a marriage (a favourite trick of some Nigerians), or someone who reacted to a spammed 'business proposal'. The re-shipper is convinced to receive some goods (no payments are needed) and then forward them to an address that is safe for scammers (e.g. somewhere in Nigeria). The goods are purchased using stolen cards, but when they are tracked, usually only the re-shipper will be caught.
The originally 'hackish'-sounding word (might be just a cracker slang substituting 'f' with 'ph' as in 'phreak', another explanation is to read the 'ph' as abbreviated 'password harvesting' - the general idea is to 'fish' for gullible persons willing to reveal their personal information) has largely become a household term due to the onslaught of malware at the beginning of the new millennium.
Phishing has always been most successful in large, loosely knit network communities consisting of people with little or no IT knowledge - its birthplace was AOL (formerly America Online), the online service has long been notorious for its clueless and bad-mannered users - even to the point that in many hacker communities, 'you what, from AOL?' was regarded as the highest degree of insult. However, as AOL made its policies a lot stricter at the turn of the century, phishers gradually moved elsewhere and nowadays roam widely in social networking websites like MySpace. Two other partners for phishing are spam (unsolicited e-mail) and spyware, as both are widely used to distribute phishing schemes too.
These frauds may also involve social engineering (most do), but they will also use various technology-based attacks. These include:
- direct cracking - hijacking the users' computers by using various known vulnerabilities and security holes which tend to exist in all operating systems (even though the top pick is still MS Windows). In many cases, this is done using an exploit (a piece of software designed to use a specific weakness in specific system) created and made available online by someone else - making it even unnecessary for the exploiter to have thorough IT knowledge (this kind of malefactors are known as 'script kiddies'). The hijacked machine is usually controlled via a rootkit (software which allows remote administration and attempts to hide the tracks of intrusion). Besides targetting the user him/herself (spam, spyware, phishing attacks), these machines are also used to form botnets - remotely controlled networks of hijacked computers, which are then used for bigger tasks like coordinated attacks on larger targets, mass mailing etc.
- Trojan Horse type attacks with malware - in this case, the user is tricked to install a piece of software which results in the same situation as described in the previous point. Once installed, the malware may spread on like a virus (infecting files or staying resident in memory) or a worm (see below).
- Worm attacks - unlike cracking or trojans, these attacks are fully automatic, demanding no interference by the victim. Worms are malicious pieces of software which propagate themselves over the network using known holes in systems.
- Cross-site scripting (XSS) - in addition to static content, today's web pages use a wide variety of scripts - small programs which typically build a page in dynamic manner or automate some tasks. In case of proper security, a script can only work inside the boundaries of the same machine - however, in some cases, misconfiguration and/or security hole allow a script to influence another website. An example: in July 2006, someone [L] injected a funny message to Netscape.com (luckily, the script did not do anything malicious).
- DNS attacks (also known as 'pharming') - DNS (Domain Name System) is the way that allows us to use more 'human' addresses on the web - e.g. we can write 'www.cnn.com' instead of '220.127.116.11' (the Internet Protocol number for cnn.com) to our browsers. This is achieved using a network of name servers which tell the users' computers which IP number should answer to our query. In case of direct cracking of a name server or using a security hole to redirect ('poison') the DNS, fraudsters can send unsuspicious users to fake webpages which look like their real counterpart (e.g. one of the most popular targets is PayPal.com). Users will then be asked confidential information which is then used for identity theft or sometimes for direct attack against the user (e.g. bank accounts and passwords).
- Spoofing and homograph (homoglyph) attacks - as today's web is multilingual, different encodings are used to display characters of different languages. There is also UTF-8 - the system which strives to serve all languages, being able to display all known characters of different alphabets. One of the problems stemming from such an universal alphabet is the presence of homoglyphs (homographs) - letters of different alphabets which look the same. For example, Latin and Cyrillic alphabet shares a number of characters ('a', 'k', 'o'; some others like 'e', 'c', 'y' have different spellings but similar form). Such homoglyphs look similar but are in fact different characters in Unicode system. This can be used to construct similarly-looking domain names which are used to trick users to fake pages (like in DNS attacks described above). Similar spoofing has also simpler forms like 'G00GLE.COM' (gee-zero-zero-...) or 'rnicrosoft.com' (in lower case, looks superficially similar to 'Microsoft').
Why Nigeria? The factors that make Nigeria the unofficial headquarters of all kinds of scammers are actually quite diverse. Still, we can mention the following:
- long 'tradition' of economic uncertainty and corruption - while being a resource-rich country (mostly oil), it has been under a military rule and developed endemic corruption, being one of the worst in various related lists. The 2002 US DoT advisory strongly discourages dealing with the country, mentioning a number of serious shortcomings. During the recent years, the situation has improved a little, but not remarkably.
- large-scale poverty and inequality - 60% of the population lives under poverty line, while the richest 10% of population consumes 40.8% of resources (also, the World Bank has estimated that 80% of the oil revenues go to 1% of the population).
- relatively large country with a number of factions with occasionally unclear relations (=> many places to hide)
- English as a common language (there are more than 250 ethnic groups in Nigeria).
- relatively good (for the region) level of basic education - the CIA 2006 Factbook gives the literacy rate as 68%.
- relatively good information infrastructure - according to CIA Factbook, Nigeria ranks 40th in mobile phone usage (before Belgium; data from 2004) and 57th in Internet usage (right after Ireland; 2005).
- the history of frauds well predates Internet, as similar 'business practices' have been used for decades by both local gangs and oil industry, as well as the government (some links can be found here).
Considering the above, it is very unlikely that the country would lose its 'bad boy' image in near future, as most of the roots of the problem will probably take decades to find a solution. Consequently, it often retaliates against law-abiding Nigerians as well (e.g. some admins automatically block all network traffic originating from Nigeria), increasing the danger of digital divide in the region.
In most modern jurisdictions, phishing and other online frauds are considered crimes and will be punished. It took awhile for the legal system to adjust to the new trends (as always), but recently there have been successful cases against major phishers as well as spammers. Even Nigeria, the ultimate home of online fraud, has introduced laws which can send people to prison for spamming.
This is probably what helped to clear AOL. Well-written and well-enforced (when needed) policy helps not only better identify misconduct, but also raise the overall awareness on potential security issues. On the other hand, outrageously limiting and oppressive policies will result in negative reaction which may turn the situation even worse (e.g. 'the policy is for breaking'-mentality).
Adequate technical know-how
This includes both having good maintenance and support specialists as well as educating the general user base. Anti-phishing technologies exist (in web browsers, both Firefox and Internet Explorer have got some countermeasures), which should be employed. Ordinary users should be able to install anti-virus and anti-spyware software (much of which is freely available) and run them on regular basis.
Perhaps this is an appropriate name - these are people who are fighting back using the fraudsters' own rules. This is often considered 'social engineering supreme': letting the scammer to taste their own medicine. These attempts have been often quite successful. The partisans argue that by their counter-action, even if they do not manage to hit back, they at least keep the fraudsters busy with someone knowing their tricks (so they won't get to scam someone clueless at the same time). Two good examples are Scam-O-Rama and WhatsTheBloodyPoint, which introduce a new 'sport' of scambaiting or 'mugu-baiting' ('mugu' is a Nigerian Pidgin word meaning 'a fool', which is often used by scammers about their victims; here the partisans attempt to turn the table and make the scammer a mugu him/herself). As such, the phenomenon is one of the prime examples of ethical dilemmas or 'grey zones' seen in Internet.
Useful terms to remember
- script kiddie
- social engineering
- LEVY, Steven. Hackers: The Heroes of the Computer Revolution. Updated Edition. Penguin Press 2001. see two first chapters here
- MITNICK, Kevin D., SIMON, William L. The Art of Deception. John Wiley & Sons Inc. 2002. ISBN: 0471237124
- GOLDSTONE, David, SHAVE, Betty-Ellen. International Dimension of Crimes in Cyberspace. 22 Fordham Int'l L.J. 1924 (1998), http://ir.lawnet.fordham.edu/ilj/vol22/iss5/2/
- Know Your Enemy: Phishing. Honeynet Project & Research Alliance.
- The Jargon file: AOL!
- The Jargon File: September that never ended
- LEYDEN, J. (2006). Phishers aim to hook MySpace users. The Register, June 5.
- US DEPARTMENT OF THE TREASURY (2002). Advisory No 32: Transactions Infolving the Federal Republic of Nigeria.
- Spammers face jail terms under proposed law. The Guardian, October 15, 2005.
- What's The Bloody Point?
- 419 Unit AFF Statistics & Estimates
- Honeynet Project & Research Alliance
- Computer Crime Research Center
- Fraud Watch: Internet Fraud Statistics Reports
- GRANGER, Sarah. Social Engineering Fundamentals, Part I: Hacker Tactics. SecurityFocus, December 18, 2001
- GRANGER, Sarah. Social Engineering Fundamentals, Part II: Combat Strategies. SecurityFocus, January 9, 2002
- GROSSMAN, Wendy M. net.wars. New York University Press 1998. ISBN 0814731031
- OLLMANN, Gunter. The Phishing Guide: Understanding and Preventing Phishing Attacks. TechnicalInfo.net 2005