What is Cybercrime? Over the last 18 months, an ominous change has swept across the Internet. The tools driving the new attacks and fueling the blackmarket are crimeware - bots, Trojan horses, and spyware.
Cybercrime Stories:
Sandra's Story
Sandra E. is a human resources professional who lives in a small town in Miami, Florida. She has used a computer in her job for more than ten years. At work, her computer is maintained by her organization’s IT department, and she has never experienced any security problems with the computer in her workplace.
Sandra considers herself to be computer savvy and believes that she is at low risk of online fraud for the following reasons:
She never shops online because she doesn't want to risk exposing her credit card information, and she doesn't like the idea that data about her purchases might be stored and used to make a profile of her likes and dislikes.
She uses her home computer only for personal email with friends and family, to surf the Web for information about new developments in her field, and to do banking once a month via her bank's Web site.
Occasionally she looks other things up on the Web, but not often.
Sandra's situation seems safe enough, right?
Unfortunately, looks can be deceiving. At work one day last summer, she heard about a new Internet Explorer browser vulnerability; it was so critical that emergency patches for all work computers in her organization had been distributed by her IT department that same day. She wanted to be sure her home computer was protected too, so when she got home she went online to get more information about the vulnerability, and determine if she was protected.
Using a popular search engine, she found a Web site that offered not only information about the vulnerability, but the option to have a patch for the vulnerability downloaded automatically to her computer. Sandra read the information, but opted not to accept the download since she was taught to download information only from authorized sources. Then she went to the official Microsoft site to obtain the patch.
So, what went wrong?
Unfortunately, as Sandra was reading information about the vulnerability on the first site, the criminal who had created the Web site was taking advantage of the fact her computer actually had the vulnerability. In fact, as she was clicking "No" (to refuse the download that was being offered), unbeknownst to her the automatic installation of a small, but powerful, crimeware program was already taking place on her computer.
The program was a keystroke logger. Simultaneously, the Web site’s owner was already receiving a notification that the keystroke logger had been secretly and successfully installed on Sandra’s computer. The program was designed to covertly log everything she typed in from that moment on, and to send all of the information to the Web site owner as well. It functioned flawlessly, too - recording everything Sandra typed- every Web site she visited, and every email she sent, passing the stolen text on to the cybercriminal.
Later that evening, Sandra finished up her monthly online banking. As she logged into her personal bank account, the keystroke logger recorded those keystrokes too, including confidential information: the name of her bank, her user ID, her password, the last four digits of her Social Security number and her mother’s maiden name. The bank’s system was secure, and all the data she typed in was encrypted so no one along the route could casually discern the information. However, the key logging program was recording the information in real time - as she typed it in - before it was encrypted; thus, it was able to bypass the security that was in place.
It was just a matter of time before her bank’s name, her user ID, her password and her mother’s maiden name were in the hands of the cybercriminal. He added her name, and all of the associated information, to a long list of names of other unsuspecting users, and sold the list to someone he had met on the Internet - someone who specialized in using stolen bank information to make illegal withdrawals. When Sandra went to make a deposit the several weeks later and asked for her balance statement, she was shocked to find that her bank account was almost empty. Sandra had been the victim of a cybercrime.
Steve's Story
Steve F. lives in the suburbs of Kansas City, Missouri, and is a retired government employee. Steve had antivirus software and a firewall, and kept them up to date. He knew not to click on an attachment in an email if he wasn’t expecting it, and he knew that this precaution applied to email from friends as well as "unknown" senders.
One day last September, Steve received an email that appeared to come from his bank, asking him to logon to his banking and investment account to update his personal information. He clicked on the URL in the email and went directly to his bank’s Web site - or so it seemed. In reality, the URL in the email took Steve to a ‘look-a-like’ Web site. The site looked identical to his own bank site, so when he was asked for his account number, username and password, he automatically started to type them in. Then he remembered something he had heard at a talk given at his local Rotary Club approximately two months before.
The featured speaker talked about phishing attacks – specifically mentioning look-a-like Web sites. The key to recognizing them, Steve remembered, was that a bank would never send its customers an email with a link in it asking customers to click and log in to their account. “If you receive such an email”, said the speaker, “simply discard it.” So he did.
Steve had just been the latest intended victim of the very thing he’d recently heard about - a phishing attack. However, he remembered just in time the simple rule that a bank should never send a Web link asking for personal information via email. Had he entered the information he was asked for, the cybercriminals would have everything they needed to manipulate his banking investment account.
Koby's Story
Some of the phishing methods can get pretty sophisticated. Koby, a middle school instructor, recently fell victim to such a scheme. Koby was using eBay to sell one of his vehicles, and he found a suitable buyer within several days. The buyer paid for the vehicle, and Koby removed its listing from eBay.
He was somewhat puzzled when he logged into his eBay account and was informed he had "one item for sale". He looked at the page, and sure enough, there was the vehicle - the same one he’d just sold - for sale. Then he noticed something wrong - very wrong. The email address that was listed for his contact information was not his. It was very similar, so much so that most people would not ever notice or suspect, but Koby did, and he knew something was just not right.
He emailed the "seller", and offered to buy the vehicle, and made arrangements to send the money to the seller. As it turned out, the "seller" was located in Chicago. Koby gave the FBI the information, and they tracked down the fraudsters. How did the fraudsters gain access to Koby’s account in the first place? A phishing email stating his account had been compromised asked him to click on a URL to go to his eBay account. He clicked, was taken to a page that looked identical to his eBay login page, and typed in his account information. The criminals used that information to log into his legitimate account and change the contact phone number.
Michelle's Story
Michelle, an aesthetician from Kansas got her first computer three years ago, and she enjoyed receiving emails from her old college friends. She also liked to look at the latest beauty products online, although she never purchased any. She was a single mother supporting two sons, and the primary use of the computer was for the boys to look up information for school projects.
However, over the last year, Michelle noticed her computer seemed to be moving more slowly. In fact, by the time we interviewed her, she and her two boys had stopped using the computer altogether because it was so slow that it was unusable.
Over Christmas, she wanted to purchase some small gifts for some of the people she worked with. In particular, she wanted to locate some live ladybugs to give to one of the girls at work. So, not having a computer to use at home, she borrowed her grandmother's computer to locate and purchase the ladybugs. After a short time, she noticed her grandmother's computer seemed to be moving slowly too, so she decided that computers were just not for her.
Michelle's new boyfriend, however, was a computer science and engineering student, and when she told him about the slowed computers, he guessed the problem right away: spyware. He downloaded a spyware detection program and confirmed his diagnosis. It took him several days to untangle the mess, but eventually the spyware was removed and the computers were back to normal. He installed antivirus and security software for Michelle and her grandmother, and they were soon both back online. However, the story does not end here.
While Michelle was using her grandmother's computer, she had received a pop-up ad announcing she had won a $500 prize. All she had to do was answer a few questions, and she could claim her $500 shopping spree to a local department store. Michelle answered the questions, and then was told she had to buy two small items before getting her gift certificate. She ordered the two least expensive items from the gift menu, gave her credit card information as requested, and then attempted to put in the rest of the information to claim her $500 gift certificate.
However, the Web site would not accept her information, and after several attempts she gave up and decided to email the site owners, hoping they would help her get things sorted out. She wrote to them twice, but never received a reply. Her credit card was charged for the two 'small items' she agreed to purchase, but she never saw the $500 gift certificate.
These illustrations of cybercrime demonstrate that cybercriminals are very good at exploiting not only technology (such as the vulnerability in Sandra's browser, or the lack of security software on Michelle's computer), but human nature as well. People tend to trust what they see online, and when asked for information, they tend to comply.
By being educated about the role users can play in reducing their risks of becoming a cybercrime victim, users can learn to make decisions that will not only protect them, but those around them who might otherwise be impacted by the crime.
Symantec