Normally my bank is so efficient! Wayne clicks on the link in the email and is directed to his bank’s website. A pop-up login window appears. He enters his account details and clicks ‘submit’. But an error message appears, so he goes to his bank’s main website and tries again. All his account details and recent transaction history are successfully listed. My account’s still here, Wayne thinks. Was there really a problem?
But what Wayne doesn’t know is that although he ended up by logging into his bank’s real website, he also revealed his credit card details to an organised crime gang during his initial, supposedly failed, login attempt. Such rogue emails and websites are part of what’s known as a ‘phishing’ scam. The number of these scams is growing by the day.
The gang, armed with Wayne’s credit card details, uses the money to buy a plasma screen TV and sends it to a formerly unemployed lady who replied to a job ad she saw at a major online job website for a correspondence manager.
This woman gets paid a commission after sending the TV to an address in Russia, which she thinks is a children’s charity, and in doing so becomes an unwitting mule in a well organised, sophisticated group of fraudsters.
The goods are resold in Russia and the money laundering is complete. The scenario above is fictional but disturbingly five per cent of people fall for phishing scams, according to US-based security company Tumbleweed.
Most of us will have received a bogus email in our inboxes by now. These scams are one of the first steps in a chain of organised criminal activity, often based in Eastern Europe. Banks are the most likely target, but the single most targeted company is eBay, according to the Anti-Phishing Working Group (www.antiphishing.org), a consortium of more than 180 companies, including Tumbleweed, working on ways to combat the problem.
There are three common phishing techniques used to harvest information, says Jon Harvey, regulatory compliance director at Barclays bank. “One is to download a Trojan attachment onto your machine which captures keystrokes or opens up a port which can then be used for a remote phishing connection. This is not something we’re experiencing at Barclays at the moment,” he says.
Another technique involves soliciting information after users are duped into thinking they are using an official site. This can be done through a similar-sounding URL, such as www.visa-security.com. Also, unpatched Internet Explorer browsers are susceptible to a vulnerability which lets scamsters create a link to what appears to be a legitimate website in the address bar, but is really a fake website.
“Finally, you can compromise the DNS (Domain Name System) server on someone’s network so when you type in the name of the institution, it resolves to another address,” says Harvey.
Most victims of phishing have simply unknowingly entered their details on a fake website.
And it’s not just Internet novices who fall for these scams. “The level of sophistication is dramatically increasing,” says Dave Jevans, chairman of the Anti-Phishing Working Group and senior executive at Tumbleweed. “There has been code for these things seized. Some machines have been seized when there was a phishing attack launched and on the machines were five other attacks on institutions ready to go. We are definitely seeing the convergence between viruses and Trojans and phishing where people are starting to use keyloggers. We’re concerned about DNS takeover attacks.”
Taking people to a counterfeit website and then redirecting them to the real website once their information has been entered is also a worrying trend, Jevans says. People don’t realise that they’ve passed their login information to a scamster because they end up seeing the authentic site.
“Those have been a bit buggy, but they’re really scary.”
In the US, large ISPs like Earthlink have been a target too – similar scams will almost certainly be hitting the UK soon.
“ISPs have your credit card details and they bill monthly, so they’re a prime target,” says Jevans. “Someone sends an email pretending to be from your ISP and saying your card’s expired or there’s a billing problem,” he adds. These can be highly targeted because they know to only send the email to people at the ISP’s domain name. Many of these sites are even hosted at the ISPs themselves so they can be extremely real looking.
We’ve seen it happen to some ISPs here and they’ll get 70,000 phone calls into their customer support centre. It costs them real money.”
Horses for courses What happens once someone enters their banking details on a fake site?
“The account ID and password then needs to be available for the fraudster to obtain in such a way that there’s a clear break between where that information now sits and where the fraudster is so it can’t be traced back,” Harvey says.
The fraudster then logs on to the banking account and transfers the money into a mule’s account, whose role is then to transfer around 90-92 per cent of the stolen money overseas. Often, the funds are transferred between numerous stolen bank accounts both here and offshore in order to make the scam harder to track.
These mules have signed up to the scam after seeing jobs on popular websites listed for ‘correspondence managers’. Much of the time they are unaware that stolen money is being transferred.
Others cotton on, but have been unemployed for some time and are desperate for the lucrative commission.
In the case of repackaging and forwarding on stolen goods, phished details such as Visa numbers are often sold on the black market and used to buy high value items. Store credit can also be obtained if scamsters steal utility type information or a driver’s licence. Login details of popular retailers’ websites are also phished. Goods are purchased and sent on to an address other than the card’s billing address.
“The goods would be delivered to one of these mule people who think they’re receiving a donation for a charity or some bigger cause and they have to repackage it and post it,” Harvey says.
Scamsters have targeted at least one authentic charity, the Russian Orphan Opportunity Fund, several times by launching spoof websites that ask for help.
The price of phish The Anti-Phishing Working Group’s regular report on attacks showed that there were 282 unique phishing attacks in February this year, a 60 per cent increase on the 176 attacks reported in January. Apart from eBay (104 unique attacks, up from 51 in January), the second most targeted company was Citibank (58), followed by PayPal (42, up from 10 in January), AOL (10, down from 34 in January), Fleet Bank (9), Earthlink (8), Visa (8) and Barclays (6). Phishing was one of the major topics debated during the E-Crime Congress held in London last February, where Harvey was a presenter.
“Right now the fraud cost is there, but these large institutions have tons of fraud already,” says Jevans. “The real cost of the problem is the time at the helpdesk, educating customers, business reputation loss and loss of trust on the Internet. This is of particular concern to e-commerce companies who only conduct business online.”
A good catch?
The Anti-Phishing Working Group
collaborates securely online and
meets regularly around the world
to discuss phishing threats and
ways to combat them. Specific
solutions are outlined in a paper at
www.securitymanagement.com/library/
Antiphishing_Tech0304.pdf.
The main proposals so far include email authentication methods and looking at spam standards devised by companies like Microsoft and Yahoo!. “The problem with that is it’s going to take years to be implemented anywhere,” Jevans says.
The group is also investigating the potential for services which scan for ‘cousin’ domains whereby trademark owners would be notified if a similar sounding URL, or sites containing spoof content, are registered.
Barclays’ Harvey points out that “if you configured your website to be seen by spiders and robots we’d find it but a fraudster doesn’t do that – you need to know the absolute address”.
Some services, like Cogenta Domainwatch (www.cogenta.com/domainwatch.htm), scan incoming spam for keywords, which can flag up problems earlier, but don’t prevent them from occurring in the first place.
At Barclays, there is a warning screen each time you log into an online account and selected letters from your ‘secret word’ must be selected from a drop down menu, which thwarts keylogging programs. Users should always type the absolute URL of a website directly into their browser, rather than accessing it from a Favorites menu or a link contained within an email.
Operating systems must also be configured to ensure that remote system management services are switched off, and browsers need to be set with high security settings so that malicious code cannot be executed without the user’s knowledge. Adequate firewall and virus protection is absolutely essential.
For commercial sites, educating users and raising awareness of phishing scams is vital. Ensuring security is maintained requires cooperation between a site and its users.
“We’ve done a lot with education,” says Harvey. “Customers need to understand they need to protect themselves.”
Taking a few simple precautions and being vigilant shouldn’t diminish the convenience of using online services. Thankfully, the infrastructure of online banking and online retailers’ websites has remained secure since phishing began and for those who have been the victims of scams, human error, ignorance or URL masking has been to blame.
As phishing techniques become ever more sophisticated, the fight against the scamsters is a serious one – and one which requires industry cooperation and innovation to combat.
[01] Search engine spamming
It's not actually illegal to abuse technology in an attempt to grab the top spot in search engine rankings, But search engine 'spamming', whereby Webmasters try to fool search engines into believing their silo is relevant to the search results, isn't ethical--particularly when your site doesn't merit a place in Google's top ten. This kind of behaviour can result in your site being penalised, or even banned, from search results.
Search engine spamming has been an ongoing problem for the big search companies like Google and AltaVista. "It's an attempt to give you a position in search engine results that you don't deserve," says Ian Hegerty, technical architect at AltaVista International (www.altavista .co.uk). Search engine optimisation or marketing is perfectly benign, "but there are some techniques that go over the line of what's fair and legitimate and that becomes spamming", Hegerty says.
Search engine spamming is big business and the companies who specialise in it full time make a lot of money, particularly if a fly by night operation needs a quick and effective presence on the Web. One of the 'old school' techniques is keyword spain. "That's the placing of keywords on the page in very small or invisible text, with white text on a white background." Hegerty says. "Search engines will see the text but the ordinary user won't be able to."
Another trick is to set up a 'doorway page'. This is a page full of keywords, sometimes automatically generated flora a dictionary, which when loaded into a browser directs users to another page where the keyword isn't present. "You see this a lot in the porn arena where you might see a page saying 'Disney', 'Amazon' or 'Toys 'R' Us' in a search engine, but clicking on the link takes you to a porn site," says Hegerty.
Cloaking is another technique, where spammers present an entirely different version of their home page to a search engine to improve their ranking. As a result of cloaking you may see a page you wouldn't expect. Page jacking, meanwhile, happens when someone copies a website's source code to try and steal visitors.
Keyword spamming is easy for the likes of AltaVista and Google to detect, but the arms race between the search engines and the spammers is getting increasingly sophisticated. AltaVista develops automated mechanisms to deal with known spamming techniques but relies on its stall to spot new types of spare. Every 45 days AltaVista rebuilds its index, and every time this process reveals a new technique the spammers have developed.
One of the biggest tricks is called 'link spam'. Modern search engines increasingly rely on the link structure of the Web to determine how popular a website is, so the more other sites link to you, the better. Link spammers will create websites linking to hundreds of sites to try and boost these sites' rankings. These 'artificial link farms' sound cunning, but can still he detected. "In order to tackle this type of spare you really need a map of the Web that includes several billion URLs and to know all the links between them," Hegerty says. "You can run algorithms of the Web which find sites that use techniques like this." Link spammers can also trawl people's guestbooks and infest them with links. "One company had 53,000 links coming front guestbooks," Hegerty says. Thankfully, most search engines know how to resolve these and other new spamming problems quickly.
Hegerty's advice to users is to simply be aware that search engine spamming can happen. Look at the URL and text content and report any results which are out of place to the search engine support staff. If webmasters take on the services of a website optimisation company, they should know what borderline spamming techniques are--it's possible your site could get penalised or even banned if someone engages in some dubious marketing practices on your behalf.
[02] Affiliate spamming and hijacking
You're probably aware of affiliate schemes whereby if you click through to, say, Amazon via someone's website, they're likely to earn a small commission if you purchase something via the link.
Affiliate spammers copy as much information as possible from popular affiliate websites in order to get a high search engine ranking. Then, if you click on the search engine link, you'll be redirected to a site like Amazon's--but the spammer will tag on its own affiliate ID in the process. This means you could end up buying goods on Amazon without realising the spammer is earning money from your purchase. "They're making money purely because they're acting like an intermediary between the search engine and Amazon," says Hegerty.
Affiliate spammers can also send thousands of junk emails out to unwitting users. Click on a link and you may be generating money for the spammer. It's up to the company providing the affiliate scheme to detect and ban IDs from affiliates teat are abusing the system.
There's also software that hijacks legitimate affiliate revenue and redirects it to another company's account. Programs that do this are known as 'stealware'. Major peer to peer file sharing services are notorious for using this technique because they claim they need the money to continue to provide a free service. Kazaa uses a program called SaveNow from WhenU.com, while LimeWire uses TopMoxie.
Both have been known to divert commissions. While arguably unethical, if a user has opted in to allow these companies to take affiliate commissions, the only thing they can do is uninstall the stealware and inform the affiliate provider about what's happening.
[3] Hoax emails
While not harmful on their own, those new to the Internet are often fooled by hoax emails. They waste time and bandwidth for the rest of us.
Technology has made some magical things possible but emails promising unlimited free trips to Florida for everybody sound just a bit too good to be true and they are. Despite this, it's amazing how many friends who should know better forward chain emails saying 'Bill Gates is sharing his fortune and for every person you send this on to you'll receive $245!'. However, those who don't know any better may think they're doing a good deed. Some gentle advice is called for.
There are also hoaxes which tell you to delete a seemingly malicious file from your PC when in reality the file is harmless. Don't do it.
[04] Identity theft
Identity theft is the fastest growing online scare in 2002 it increased by 80 per cent, according to research firm Gartner Group. Scarily, we're all at risk.
In July a man called Juji Jiang went to at least 14 Kinko's stores in New York and secretly installed easily obtainable keylogger software on public computers. He was able to extract more than 450 usernames and passwords by monitoring what people were typing.
"The main cause of loss of identity credentials is usually caused by a keylogger," says Pete Simpson, manager of ThreatLab at email messaging company Clearswift. Keylogging software can find its way on to your computer via spam, worms, viruses and malicious Web pages, Simpson warns.
[05] Email spamming techniques
You hate spam. You keep getting it. Why? Because there are so many ways for spammers to know your email address is live. Even if you have spam control software in place, the spammers are learning all sorts of hacker style tricks to try and circumvent it, says Martino Corbelli, marketing manager for content filtering company SurfControl.
People often email an 'unsubscribe' address at the bottom of spam thinking they'll be taken off the spammers' mailing list. But, says Corbelli, "what they've actually done is communicate to the spammer that that was a live email address".
"More spare these days doesn't bother to have those messages because the moment you actually open an email, a 'Web beacon' sends a message to the spammer saying, 'someone's opened this email'. Then you get put into the live database."
Spam filtering techniques like pattern recognition art: becoming increasingly ineffective. "Spammers are basically just changing the letters they use," Corbeni says. For example, 'viagra' will read 'Viagra' or 'v_I_a_g_r_a'. You may also see random letters at the end of a subject line, used to trick pattern recognition software. Spammers also like hiding spam content within JavaScript or frames.
Another technique is to again use white text, which may relate to a business contract, on a white background. Any lexical analysis software will think the spam relates In a legitimate email. But, when you open it, the image embedded within the email is loaded--promoting cheap ink cartridges, or whatever.
Corbelli's advice? "If it looks like spam, smells like spare, tastes like spam ... don't even open it. Delete it straight away." Be aware of emails that may get you or your company into trouble. Links embedded in emails could introduce problematic content, such as child porn, into your company network.
[06] Fraud via email
Remember, if it sounds too good to be true, it probably is. You may receive entails from someone like Chief Egobike Madu, the executive director with Nigeria National Petroleum, who wants help to transfer tens of millions of dollars into a foreign account in return for a generous commission--but not before you cough up thousands of pounds to 'aid' the transaction.
This will be followed by delays. You'll be asked for more money to speed things up, and then you'll never hear from the scamsters again. This is the '419 scam', named after the relevant Nigerian criminal code. In fact, the 419 Coalition action group thinks the seam is the third to fifth largest 'industry' in Nigeria (http:// home.rica.net/alphae/419coal).
While most of us can spot when someone's trying to pull a fast one, technology has made it much easier for us to inadvertently give away important details about ourselves. The Citibank scams, for instance, (www.snopes.com/inboxer/scams/citibank .asp) look astonishingly realistic. Unsuspecting users responded to a spam mail reading: "We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it." They were then redirected to a spoof website which looked almost exactly like the Citibank one except a numerical URL would be visible in the address bar.
The latest seam involves notification of a money transfer, which requires registration with Citibank. Of course, registration requires you to enter your credit card details, which will then be in the hands of a fraudster.
[07] Auction scams
The US Internet Fraud Complaint Centre (www.ifccfbi.gov) processed around 49,000 complaints in 2002. Not surprisingly, Internet auction fraud comprised a whopping 46.1 per cent of referred fraud complaints, up by 7.7 per cent on 2001 figures. Complainants lost an average of $320 (around 200 [pounds sterling]) each, Although auction fraud appears to be growing each year, the auction industry itself is getting much faster in reacting to it and vigilance by individuals is helping stem the tide of auction fraud at bay.
However, stolen goods still crop up on eBay--even our very own columnist Lance Concannon bought a laptop which he had to hand over to the police when it turned out to have fallen straight off the back of a lorry. In the UK, the National High Tech Crime Unit routinely works with eBay in order to tackle criminal activity.
[08] E-commerce fraud
Some good news now. Figures from the Department of Trade and Industry fur 2002 suggest that lower than one per cent of people in the UK have reported experiencing online credit card fraud. This compares with two per cent who've encountered fraud offline, although five per cent of people know someone who has experienced fraud online. Two per cent of people have lost money to a fraudulent Internet company
Merchants have a harder time, and published reports may deter many wanting to start selling online. The 2002 online fraud report by Cybersource (www.cybersource.com) found that despite merchants using software to protect themselves from online fraud, losses didn't decrease because they didn't regularly update and integrate their anti-fraud tools. There were also losses not directly related to revenue, such as loss of staff time and chargeback fines. Credit card companies have been obliged to improve their authentication procedures, which has increased confidence for merchants and consumers. Visa's encrypted 3D Secure system allows merchants to authenticate credit cards with the cardholder's bank in real time. Customers must enter a password during the checkout process, thus reducing fraud incidents.
[9] Pumping and Dumping
No, this isn't about eating too much curry. It's about greed, Wall Street and online hype. Scamsters use spare, message hoards and chat rooms to talk up stocks they hold a stake in. Usually they claim to have 'insider information' on something big. People buy the stock, the price rises, the scamster sells their stock and the prices begin to fall.
Take a typical email from our inboxes, for example: "Tamarak recently announced joint venture discussions with Disney and CBS for the production of full length feature films and television mini-series. We expect a major announcement regarding significant financing ... The stock could easily reach $10.00 in less than a month on the strength of their upcoming announcements." The company had publicly announced this in the press, but one day later, the US Securities and Exchange Commission temporarily suspended trading in Tamarak securities "because of questions that have been raised about the accuracy of assertions in press releases" concerning the company's financial ability to produce and distribute a TV mini series and "purported discussions between Tamarak and major TV and film studios".
[10] Fraudulent pay per click
Most search engines prominently display sponsored listings or paid for advertisements alongside their traditional, Web crawled results. These listings are provided by companies such as Overture, Google AdWords and eSpotting.
Advertisers fight with their competitors to get top placements by bidding against them for lucrative search keywords. The more popular the keyword, the higher the bid. Whenever a user clicks on a link, the advertiser must pay the pay per click company the amount determined during bidding. But in the dirty world of business, there have been cases of companies trying to generate fraudulent clicks on their rivals' websites to try and milk their marketing budgets.
Advertiser security is a top priority, says Karen Salamon, marketing director at Overture UK. "Overture's Click Through Protection System is based on sophisticated, patent-pending technology that runs 24 hours a day, seven days a week to help prevent advertisers from being charged for questionable clicks." Search and click patterns are studied across 50 data points, including user session, IP address and browser information. "Marketplace integrity is critical to our success and the goal of our filtering system is to be perfect," says Salamon. Multi clicking is unethical, but is it illegal? "Repeated clicking can be linked to or stem from illegal behaviour and may be intended to result in a fraudulent reduction in the victim advertiser's marketing budget," says Salamon. "For this reason, Overture takes any such behaviour very seriously and maintains best-of-breed systems to detect and isolate invalid clicks."
ONE READER'S STORY Richard Osborne is an IT consultant (www.ozzy.co.uk), whose clients market their sites through Overture, When one site's daily pay-per-click (barges rocketed from 30 [pounds sterling] to 110 [pounds sterling] and then up to 250 [pounds sterling], Osborne suspected that a competitor was purposely milking his client s marketing budget with fraudulent clicks. He checked the site logs and noticed the same IP addresses continually accessing the site.
After informing Overture he received a standard email stating that they could see no abnormal activity. "I replied saying that I thought they were wrong and included full server logs. Three days later I got the same standard email, word for word, back again."
It was only after Osborne contacted the press that Overture called him back. "I get the impression they're probably try to fob people off and people accept it because Overture are big."
Osborne now makes sure to add proper tracking cede to his clients' URLs. Overture says: "In order to verify that Overture's Click Through Protection System is working, advertisers should have an Overture Tracking URL on their listings ... to review their Web logs and see that we have not billed for invalid clicks."
Has this happened to you? Osborne recommends visiting the forums at http://forums.seochat.com. Most of the time the Internet is a perfectly honest place to go about your business but, as in the real world, it's surprisingly easy to become a victim of an unpleasant scare or find yourself involved in dodgy dealings. However, if you know what you're dealing with you're tar less likely to get caught out. with this in mind we've undertaken a little detective work to discover the ugliest seams you're ever likely to encounter online. Some are perfectly legal, must are unethical, and all of them you should be aware of. [01] Search engine spamming It's not actually illegal to abuse technology in an attempt to grab the top spot in search engine rankings, But search engine 'spamming', whereby Webmasters try to fool search engines into believing their silo is relevant to the search results, isn't ethical--particularly when your site doesn't merit a place in Google's top ten. This kind of behaviour can result in your site being penalised, or even banned, from search results. Search engine spamming has been an ongoing problem for the big search companies like Google and AltaVista. "It's an attempt to give you a position in search engine results that you don't deserve," says Ian Hegerty, technical architect at AltaVista International (www.altavista .co.uk). Search engine optimisation or marketing is perfectly benign, "but there are some techniques that go over the line of what's fair and legitimate and that becomes spamming", Hegerty says. Search engine spamming is big business and the companies who specialise in it full time make a lot of money, particularly if a fly by night operation needs a quick and effective presence on the Web. One of the 'old school' techniques is keyword spain. "That's the placing of keywords on the page in very small or invisible text, with white text on a white background." Hegerty says. "Search engines will see the text but the ordinary user won't be able to." Another trick is to set up a 'doorway page'. This is a page full of keywords, sometimes automatically generated flora a dictionary, which when loaded into a browser directs users to another page where the keyword isn't present. "You see this a lot in the porn arena where you might see a page saying 'Disney', 'Amazon' or 'Toys 'R' Us' in a search engine, but clicking on the link takes you to a porn site," says Hegerty. Cloaking is another technique, where spammers present an entirely different version of their home page to a search engine to improve their ranking. As a result of cloaking you may see a page you wouldn't expect. Page jacking, meanwhile, happens when someone copies a website's source code to try and steal visitors. Keyword spamming is easy for the likes of AltaVista and Google to detect, but the arms race between the search engines and the spammers is getting increasingly sophisticated. AltaVista develops automated mechanisms to deal with known spamming techniques but relies on its stall to spot new types of spare. Every 45 days AltaVista rebuilds its index, and every time this process reveals a new technique the spammers have developed. One of the biggest tricks is called 'link spam'. Modern search engines increasingly rely on the link structure of the Web to determine how popular a website is, so the more other sites link to you, the better. Link spammers will create websites linking to hundreds of sites to try and boost these sites' rankings. These 'artificial link farms' sound cunning, but can still he detected. "In order to tackle this type of spare you really need a map of the Web that includes several billion URLs and to know all the links between them," Hegerty says. "You can run algorithms of the Web which find sites that use techniques like this." Link spammers can also trawl people's guestbooks and infest them with links. "One company had 53,000 links coming front guestbooks," Hegerty says. Thankfully, most search engines know how to resolve these and other new spamming problems quickly. Hegerty's advice to users is to simply be aware that search engine spamming can happen. Look at the URL and text content and report any results which are out of place to the search engine support staff. If webmasters take on the services of a website optimisation company, they should know what borderline spamming techniques are--it's possible your site could get penalised or even banned if someone engages in some dubious marketing practices on your behalf. [02] Affiliate spamming and hijacking You're probably aware of affiliate schemes whereby if you click through to, say, Amazon via someone's website, they're likely to earn a small commission if you purchase something via the link. Affiliate spammers copy as much information as possible from popular affiliate websites in order to get a high search engine ranking. Then, if you click on the search engine link, you'll be redirected to a site like Amazon's--but the spammer will tag on its own affiliate ID in the process. This means you could end up buying goods on Amazon without realising the spammer is earning money from your purchase. "They're making money purely because they're acting like an intermediary between the search engine and Amazon," says Hegerty. Affiliate spammers can also send thousands of junk emails out to unwitting users. Click on a link and you may be generating money for the spammer. It's up to the company providing the affiliate scheme to detect and ban IDs from affiliates teat are abusing the system. There's also software that hijacks legitimate affiliate revenue and redirects it to another company's account. Programs that do this are known as 'stealware'. Major peer to peer file sharing services are notorious for using this technique because they claim they need the money to continue to provide a free service. Kazaa uses a program called SaveNow from WhenU.com, while LimeWire uses TopMoxie. Both have been known to divert commissions. While arguably unethical, if a user has opted in to allow these companies to take affiliate commissions, the only thing they can do is uninstall the stealware and inform the affiliate provider about what's happening. [3] Hoax emails While not harmful on their own, those new to the Internet are often fooled by hoax emails. They waste time and bandwidth for the rest of us. Technology has made some magical things possible but emails promising unlimited free trips to Florida for everybody sound just a bit too good to be true and they are. Despite this, it's amazing how many friends who should know better forward chain emails saying 'Bill Gales is sharing his fortune and for every person you send this on to you'll receive $245!'. However, those who don't know any better may think they're doing a good deed. Some gentle advice is called for. There are also hoaxes which tell you to delete a seemingly malicious file from your PC when in reality the file is harmless. Don't do it. [04] Identity theft Identity theft is the fastest growing online scare in 2002 it increased by 80 per cent, according to research firm Gartner Group. Scarily, we're all at risk. In July a man called Juji Jiang went to at least 14 Kinko's stores in New York and secretly installed easily obtainable keylogger software on public computers. He was able to extract more than 450 usernames and passwords by monitoring what people were typing. "The main cause of loss of identity credentials is usually caused by a keylogger," says Pete Simpson, manager of ThreatLab at email messaging company Clearswift. Keylogging software can find its way on to your computer via spam, worms, viruses and malicious Web pages, Simpson warns. [05] Email spamming techniques You hate spam. You keep getting it. Why? Because there are so many ways for spammers to know your email address is live. Even if you have spam control software in place, the spammers are learning all sorts of hacker style tricks to try and circumvent it, says Martino Corbelli, marketing manager for content filtering company SurfControl. People often email an 'unsubscribe' address at the bottom of spam thinking they'll be taken off the spammers' mailing list. But, says Corbelli, "what they've actually done is communicate to the spammer that that was a live email address". "More spare these days doesn't bother to have those messages because the moment you actually open an email, a 'Web beacon' sends a message to the spammer saying, 'someone's opened this email'. Then you get put into the live database." Spam filtering techniques like pattern recognition art: becoming increasingly ineffective. "Spammers are basically just changing the letters they use," Corbeni says. For example, 'viagra' will read 'Viagra' or 'v_I_a_g_r_a'. You may also see random letters at the end of a subject line, used to trick pattern recognition software. Spammers also like hiding spam content within JavaScript or frames. Another technique is to again use white text, which may relate to a business contract, on a white background. Any lexical analysis software will think the spam relates In a legitimate email. But, when you open it, the image embedded within the email is loaded--promoting cheap ink cartridges, or whatever. Corbelli's advice? "If it looks like spam, smells like spare, tastes like spam ... don't even open it. Delete it straight away." Be aware of emails that may get you or your company into trouble. Links embedded in emails could introduce problematic content, such as child porn, into your company network. [06] Fraud via email Remember, if it sounds too good to be true, it probably is. You may receive entails from someone like Chief Egobike Madu, the executive director with Nigeria National Petroleum, who wants help to transfer tens of millions of dollars into a foreign account in return for a generous commission--but not before you cough up thousands of pounds to 'aid' the transaction. This will be followed by delays. You'll be asked for more money to speed things up, and then you'll never hear from the scamsters again. This is the '419 scam', named after the relevant Nigerian criminal code. In fact, the 419 Coalition action group thinks the seam is the third to fifth largest 'industry' in Nigeria (http:// home.rica.net/alphae/419coal). While most of us can spot when someone's trying to pull a fast one, technology has made it much easier for us to inadvertently give away important details about ourselves. The Citibank scams, for instance, (www.snopes.com/inboxer/scams/citibank .asp) look astonishingly realistic. Unsuspecting users responded to a spam mail reading: "We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it." They were then redirected to a spoof website which looked almost exactly like the Citibank one except a numerical URL would be visible in the address bar. The latest seam involves notification of a money transfer, which requires registration with Citibank. Of course, registration requires you to enter your credit card details, which will then be in the hands of a fraudster. [07] Auction scams The US Internet Fraud Complaint Centre (www.ifccfbi.gov) processed around 49,000 complaints in 2002. Not surprisingly, Internet auction fraud comprised a whopping 46.1 per cent of referred fraud complaints, up by 7.7 per cent on 2001 figures. Complainants lost an average of $320 (around 200 [pounds sterling]) each, Although auction fraud appears to be growing each year, the auction industry itself is getting much faster in reacting to it and vigilance by individuals is helping stem the tide of auction fraud at bay. However, stolen goods still crop up on eBay--even our very own columnist Lance Concannon bought a laptop which he had to hand over to the police when it turned out to have fallen straight off the back of a lorry. In the UK, the National High Tech Crime Unit routinely works with eBay in order to tackle criminal activity. [08] E-commerce fraud Some good news now. Figures from the Department of Trade and Industry fur 2002 suggest that lower than one per cent of people in the UK have reported experiencing online credit card fraud. This compares with two per cent who've encountered fraud offline, although five per cent of people know someone who has experienced fraud online. Two per cent of people have lost money to a fraudulent Internet company Merchants have a harder time, and published reports may deter many wanting to start selling online. The 2002 online fraud report by Cybersource (www.cybersource.com) found that despite merchants using software to protect themselves from online fraud, losses didn't decrease because they didn't regularly update and integrate their anti-fraud tools. There were also losses not directly related to revenue, such as loss of staff time and chargeback fines. Credit card companies have been obliged to improve their authentication procedures, which has increased confidence for merchants and consumers. Visa's encrypted 3D Secure system allows merchants to authenticate credit cards with the cardholder's bank in real time. Customers must enter a password during the checkout process, thus reducing fraud incidents. [9] Pumping and Dumping No, this isn't about eating too much curry. It's about greed, Wall Street and online hype. Scamsters use spare, message hoards and chat rooms to talk up stocks they hold a stake in. Usually they claim to have 'insider information' on something big. People buy the stock, the price rises, the scamster sells their stock and the prices begin to fall. Take a typical email from our inboxes, for example: "Tamarak recently announced joint venture discussions with Disney and CBS for the production of full length feature films and television mini-series. We expect a major announcement regarding significant financing ... The stock could easily reach $10.00 in less than a month on the strength of their upcoming announcements." The company had publicly announced this in the press, but one day later, the US Securities and Exchange Commission temporarily suspended trading in Tamarak securities "because of questions that have been raised about the accuracy of assertions in press releases" concerning the company's financial ability to produce and distribute a TV mini series and "purported discussions between Tamarak and major TV and film studios". [10] Fraudulent pay per click Most search engines prominently display sponsored listings or paid for advertisements alongside their traditional, Web crawled results. These listings are provided by companies such as Overture, Google AdWords and eSpotting. Advertisers fight with their competitors to get top placements by bidding against them for lucrative search keywords. The more popular the keyword, the higher the bid. Whenever a user clicks on a link, the advertiser must pay the pay per click company the amount determined during bidding. But in the dirty world of business, there have been cases of companies trying to generate fraudulent clicks on their rivals' websites to try and milk their marketing budgets. Advertiser security is a top priority, says Karen Salamon, marketing director at Overture UK. "Overture's Click Through Protection System is based on sophisticated, patent-pending technology that runs 24 hours a day, seven days a week to help prevent advertisers from being charged for questionable clicks." Search and click patterns are studied across 50 data points, including user session, IP address and browser information. "Marketplace integrity is critical to our success and the goal of our filtering system is to be perfect," says Salamon. Multi clicking is unethical, but is it illegal? "Repeated clicking can be linked to or stem from illegal behaviour and may be intended to result in a fraudulent reduction in the victim advertiser's marketing budget," says Salamon. "For this reason, Overture takes any such behaviour very seriously and maintains best-of-breed systems to detect and isolate invalid clicks."
MORE INFO Info on avoiding types of investment scams www.sec.gov/investor/pubs /cyberfraud.htm Comprehensive link to details of spyware and adware www.iol.ie/~link/Spyware %20Information.htm Be aware of search engine submission techniques www.searchenginewatch.com What are your online rights? The DTI has set up a guide www.consumer.gov.uk /consumer_web /e-shopping.htm If you're sick of your friends sending you endless hoax virus reports, direct them to www.sophos.com/virusinfo /hoaxes ONE READER'S STORY Richard Osborne is an IT consultant (www.ozzy.co.uk), whose clients market their sites through Overture, When one site's daily pay-per-click (barges rocketed from 30 [pounds sterling] to 110 [pounds sterling] and then up to 250 [pounds sterling], Osborne suspected that a competitor was purposely milking his client s marketing budget with fraudulent clicks. He checked the site logs and noticed the same IP addresses continually accessing the site.
After informing Overture he received a standard email stating that they could see no abnormal activity. "I replied saying that I thought they were wrong and included full server logs. Three days later I got the same standard email, word for word, back again."
It was only after Osborne contacted the press that Overture called him back. "I get the impression they're probably try to fob people off and people accept it because Overture are big." Osborne now makes sure to add proper tracking cede to his clients' URLs. Overture says: "In order to verify that Overture's Click Through Protection System is working, advertisers should have an Overture Tracking URL on their listings ... to review their Web logs and see that we have not billed for invalid clicks."
Has this happened to you? Osborne recommends visiting the forums at http://forums.seochat.com.