Organized Cyber-Crime

By Dennis McCafferty

This story appeared in the July/August 2004 issue of Web Host Industry Review magazine. Click here to subscribe for free.

September 1, 2004 -- (WEB HOST INDUSTRY REVIEW) -- Web hosts, by now, are well aware of the alarming rate at which Internet users are being duped by "phishing" scams. Using convincing emails — as well as phony, reconstructed replicas of the Web sites of established, branded companies — phishers trick users into handing over cash, credit-card data, social security numbers and endless amounts of other valuable information.

Phishers are hurting more than the user—they're punching a Mack truck-sized hole in user confidence and, in the process, online commerce, industry leaders say.

And in an alarming addition to the threat, organized crime wants in.

In fact, organized crime is already a key player, investigators say. And it's doing more than — to paraphrase a Godfather line — simply sleeping with the phishes. Organized crime is taking the concept, along with other Internet-based fraud, to new heights.

The image of the hacker or Internet scammer as lonely, dateless loser pecking away at the basement computer by night no longer applies. The stakes are higher now. There is more than ever online to steal. So a new breed of smarter criminals is taking over. Organized criminals work together, with clearly defined roles. The execution is as finely crafted as the best of business plans. The capital investment is staggering.

The most telling illustration is an Overland Park, Kansas, company named Lexitrans. Officials with the company were indicted on federal charges in February after allegedly running a shell-company operation to market adult Web sites and 900 numbers that advertised for free trials but instead charged users. Investigators have told reporters that the illegal business generated $750 million in revenue — the largest consumer fraud in US history. And if the price tag didn't make the crime gripping enough, reports linked Lexitrans and its shell companies to the infamous Gambino crime family.

According to published reports, this was no basement-level operation. There was no less than 7,000 square feet of data center space at the Overland Park location, with redundant power and fiber-optic pipes. Internet access costs were estimated at $50,000 a month, and the company was paying $100,000 every day for placement on popular search engines.

And Lexitrans is far from an isolated case, say industry experts and government officials.

"Cyber-crime has gone incorporated — it's so much more sophisticated," says Clarence Briggs, CEO of Advanced Internet Technologies Inc. (ait.com), a Fayetteville, North Carolina-based managed and dedicated hosting company. "Take the worms and viruses that have been unleashed, for instance. Someone with the skill required to create something like Sobig or Blaster isn't doing it just to be a pest; there is a clear end game and money is the most obvious motive.

"Also, the schemes targeting individuals are better. Most people remember messages in shaky English, in which the author claims to have access to tens of millions of dollars that he would be happy to share with you if you only provide seed money. Now, people get bogus messages about bank or credit card errors, with the recipient urged to provide the correct account information. They're more effective because they play on the trust factor."

New findings from Stamford, Connecticut-based market research firm Gartner Inc. (gartner.com) demonstrate the spread of this type of attack. Some 57 million US users have received email linked to phishing scams. Nearly 11 million adults reported clicking on the link in a phishing attack — almost 20 percent of those receiving the email. And 1.78 million Americans, or 3 percent of those attacked, remember giving phishers their sensitive financial or personal information, such as a credit card number and billing address, by filling out a form on a spoof Web site. All told, phishing attacks account for 92 percent of known or suspected attacks within the last 12 months. Web hosting operations and other Internet companies that depend on consumer confidence in online transaction security are now seeing disheartening reports, as top brands, both dot-com and blue-chip, have been the subject of spoofed sites: eBay, PayPal, Citibank, America Online, Microsoft, EarthLink, Yahoo!, Wells Fargo, BellSouth and Fleet Bank.

There were nearly 215,000 complaints of ID theft made to the US Federal Trade Commission in 2003, with auction fraud accounting for nearly half of all Internet-related fraud complaints. Of the total 80 to 100 civil cases pursued by the FTC, less than five percent are typically based on a one-person operation, according to Rick Quaresima, chief of the criminal liaison unit in the FTC's Bureau of Consumer Protection (ftc.gov/ftc/consumer.htm). The Internet, he says, is a particularly attractive vehicle for committing such fraud.

"It's like anything else: If there's money to be made, organized groups of criminals will go to it," Quaresima says. "There is also an appealing degree of anonymity [in] sending spam and other disguised emails, and that makes it more attractive as well."

The Anti-Phishing Working Group (antiphishing.org), an effort launched by Redwood City, California-based email security and antispam company Tumbleweed Communications Corp. (tumbleweed.com), reports that financial services companies are now the most likely targets for the phish hook, with Citibank alone suffering 475 attacks in April. Overall, unique phishing attacks reported to the APWG have been growing at 110 percent per month, from 28 originally reported in November 2003 to 1,125 in April.

Organized crime is fueling much of this growth, experts say. And it's a global situation, not strictly domestic, which complicates law-enforcement efforts and oversight.

Roughly half of the attacks originate from the US, Gartner reports, with Eastern Europe — especially Russia — the second-most likely venue for organized fraud. But England, France and Germany are each seeing an increase in this illegal activity as well, along with other nations.

"We're seeing untraceable, anonymous, bullet-proof Web hosting and bulk email list services in countries like China, Korea and Russia," says Susan Larson, vice president for global content at SurfControl (surfcontrol.com), the Scotts Valley, California-based Web and email filtering company. "Spammers are trading lists of zombie PCs for use as open relays and proxies. The US is working with other governments on this, but each country has a different take on how to handle or prosecute. It was only just recently, after all, that the European Union called upon industry to crack down harder on these scams."

International organized crime is surfacing in unexpected ways. Just before the biggest British horse race of the year, the Grand National, gambling Web sites were met with extortion threats, told to pay up, or risk a DOS attack on their sites' biggest day. In the US, the growing number of non-domestic attacks complicates the ability for law enforcement to pursue cases.

"I like to say that federal authorities have the same role in cyber-crime as the USGS has with earthquakes," says Christopher Getner, co-founder of Washington-based IT litigation consultant Aaxis Technologies (aaxistechnologies.com) and a former Web hosting executive. "They don't help in predicting or preventing problems, but they can be counted on after the fact to explain how bad it was."

As for what originates within the US, Getner and other industry leaders say there's a need for more proactive pursuits.

"If it is a crime to drive your automobile recklessly, then why can't federal agencies fine operators $1,000 for running SMTP servers with open relay?" he says. "Or $5,000 for unrestricted, anonymous-access FTP servers? As it stands now, hosting operators are stuck in the rock-and-a-hard-place situation of trying to reign in customers that create security problems, knowing that if they push too hard, the client will just move to another provider. Aggressive law enforcement on irresponsible users would help hosting operators without putting their businesses at risk."

The interest of organized crime is widespread enough for some very big criminal operations to be launching their own schemes.

"For them, it's a very appealing opportunity," says Avivah Litan, the Gartner vice president and research director who authored the recent report. "It's a lucrative crime, and a far less risky one. There are no blood and guts to deal with. All they have to do is hire the people with the necessary expertise — someone who can date a bank teller to get all the identification information for customers, fencers to fence merchandise, etc., and they're ready to go.

"Web hosts are indeed threatened by this, especially the larger ones. The phishers want to go after the hosts with the biggest inventory of customers, after all. But the damage here goes far beyond hosts. It takes away from the universal promise of the Internet, really — the promise that it has to reduce costs and provide an interactive experience with customers online. It damages the whole credibility of the email transaction. And that puts a damper on e-commerce in general, which ultimately hurts hosts and everyone else with a stake in it."

Of course, an organized crime effort need not resemble anything out of The Sopranos.

"It can be a collection of three or so people," says Dan Maier, senior product marketing manager for email security firm Tumbleweed and a spokesman for the APWG. "Typically, they'll be a spammer, a virus writer/coder/Web designer and someone who can move and launder money. They don't even know each other, necessarily, but they come together in chat rooms, cook up the scam and split the proceeds. They tend to be sophisticated, innovative and cover their tracks well."

He suggests that Web hosts pay attention to Web logs and look for remote pages loading images from their systems — a clue that a fake site is up and running. Heavy SMTP traffic may indicate open relays or a compromised server, directory harvest attacks or denial of service attacks in progress. A bunch of bounced emails are also a potential sign of trouble.

Another trend that hosts should watch for is the "floating" window, APWG reports. Phishers are putting phony, but legit-looking, floating windows over the address bars in Web browsers. When a user visits a crooked site, the Web page appears perfectly branded. But the URL needs to be disguised similarly to complete the ruse. So phishers develop Javascript replicas that look like variations of real URLs.

Former federal prosecutor Pamela Naughton, a legal expert on fraud with the Los Angeles-based law firm Sheppard, Mullin, Richter & Hampton LLP (smrh.com), says Web hosts should be vigilant for liability's sake. The Justice Department recently notified all broadcast and online media that even running ads for online gambling is a crime — aiding and abetting.

"The Justice Department takes the position that the advertiser need not have known that what he was broadcasting was illegal, only that the act of advertising was done intentionally," she says. "That theory has yet to be tested in the courts sufficiently. But it's a scary thought for anyone who hosts a site which advertises any activity which could be deemed illegal."

Property- and asset-seizure cases also are a serious consideration for hosts. "If the government suspects that a legitimate business is being used as a tool to launder money obtained in an illegal enterprise, it may seize the assets of that legitimate business," Naughton says. "There is even case law suggesting that if legitimate money is intermingled with 'dirty' money, it too can be seized, since its purpose is to disguise the 'dirty' money."

Another legal element for hosts to consider is that property and asset seizures are relatively winnable for prosecutors because they play out in civil, not criminal, court. There is no "beyond a reasonable doubt" standard of proof for conviction, as is the case in criminal proceedings. The civil standard is far more prosecutor-friendly, with the task more akin to simply proving that the crime was "most likely" committed.

Rather than serve as passive conduits for information, Web hosts need to be diligent to make sure they don't get caught up in aiding and abetting charges linked to organized crime, Naughton says. They need to know that a client's business is legitimate and its ownership transparent.

Naughton says there are obvious trouble signs: Is the client based in a tax-haven country? Or is the country on a "watch list" for terrorism? Is the client paying with third-party checks or money orders? The greater implications of organized crime, fraud and the Web extend far beyond the scamming of individual Web users, however. They have implications for national security as well. And it's quite clear that, these days, the last thing a Web hosting operation wants is to land on the front page of The Wall Street Journal, publicly linked to a Homeland Security-related crime.

"The Patriot Act allows the government very broad powers in investigating and prosecuting anyone it believes is aiding and abetting or facilitating terrorism," says Naughton. "And terrorism is not just shipping guns and weapons. It includes money laundering and, most importantly, the shipping of technology to banned countries. For instance, many types of high-speed computers are not allowed to be shipped to Iran and other countries that have been said to sponsor terrorism. If a Web host is facilitating that crime by knowingly hosting a site which handles such transactions, it could be prosecuted."

The good news is that, for now, hosts are generally shielded from civil or criminal liability when it comes to the behavior of a criminal customer, assuming the host was unaware of the activity. But that kind of protection could change within time, says Bart A. Lazar, an Internet law expert and partner with the Chicago-based law firm of Seyfarth Shaw (seyfarth.com). If the association with cyber-crooks proves to be repeated, the host may be subject to legal action. He cites non-Web-based cases as examples.

"There are cases where the operator of a flea market continually harbored trademark counterfeiters," Lazar says. "These operators would be held liable for trademark infringement, for being 'willfully blind' to the continuing counterfeiting operations on its premises. Or take a case when a landlord is held liable for harboring continual drug sales on its premises. These 'contributory' theories could be applied in a Web hosting situation.

"The best way to protect yourself is through recognition, education and tracking. A host should participate in ongoing training through trade associations and law enforcement resources, and maintain regular contact with its vendors in order to learn about current developments, technological vulnerabilities and intrusion-detection strategies.

In addition, it is useful to develop an incident response protocol and make contact — or have a trade association representative or attorney make contact on its behalf — with representatives of the major credit card companies, the Federal Trade Commission, the FBI, and other national and local government agencies who are involved in battling cyber-crime, so that the company has the appropriate contacts in the event of an incident."

Hosts can also protect themselves with solid Terms of Use agreements, says Peter Vogel, a partner at Gardere Wynne Sewell and chairman of the Texas Supreme Court Judicial Committee on Information Technology.

"These Terms of Use should prohibit any illegal activities, and these illegal activities should be spelled out specifically, with at least one very broad-brush prohibition," he says. "Federal laws protect ISPs from liability for actions on their hosted sites until the ISPs become aware of a violation. So the Terms of Use should allow Web hosts to monitor the activities on their site from time to time, and also to investigate allegations from known, or unknown, sources."