Phishing pushes e-crime further upstream

Internet crime often starts with phishing, the practice of duping a user into revealing bank account or log-in credentials via a fraudulent Web site.

Phishers send out reams of e-mail bait that say users' account information has expired or needs updating. The e-mail includes links to a site that may look very similar to their bank Web site, but isn't. Once those credentials are obtained, criminals use the information in a variety of creative and costly scams.

"The Web is under attack," said Phillip Hallam-Baker, principal scientist at VeriSign Inc, who gave a session Thursday on Internet crime at the W3C (World Wide Web) conference in Edinburgh, Scotland, this week.

The tools to commit e-crime are for sale on the Internet. Mounting an attack on millions of Internet users can be done for a little as US$300, Hallam-Baker said. Networks of computers under the control of hackers, called botnets, can be rented to send spam. Also for sale are lists of up to 100 million e-mail addresses.

Hallam-Baker said one Russian hacker will create a custom rootkit -- a method to hide a piece of malicious software deep in a computer's operating system -- for about $60.

If users are tricked into clicking on an attachment with a piece of malware, it can mean all of their personal data, such as passwords and credit card numbers, can be recorded and sent back to the hacker, who may resell them to other criminals.

The following are examples Hallam-Baker gave of the next steps clever e-criminals take after obtaining personal information.

Carding

Once credit card numbers are collected from a phishing site, the next step is putting the numbers to use in a way that can't easily be traced, a practice known as "carding." The fraud starts when scammers attract people through work-at-home schemes. The people, who believe they are doing a legitimate job as a packer or reshipper, assume the role of the "mule," an effective transit point to launder money or goods.

The scam works like this: The carder uses a credit card to order an item that's delivered to the mule. The mule's job is to move the goods to another person -- a fence -- who either sells the goods or moves them on to the carder.

When a fraudulent purchase is reported on the credit card, the mule is the first contact with law enforcement, and often, is liable.

Auction fraud

This scam involves users' log-in credentials for auction sites.

An Internet auction site user receives an e-mail asking about a laptop the user is supposed to send. The auction user is not supposed to send a laptop, and to resolve the misunderstanding the user is tricked into revealing information on a phishing site.

The perpetrator sells a camera on the auction site with the user's credentials. The camera buyer wires the money to the scammer, usually through a hard-to-trace wire transfer service such as Western Union, Hallam-Baker said.

The camera buyer e-mails the Web auction user asking for the camera. However, there is no camera.

Pump and dump

This hard-to-trace scam often crosses borders, making criminal investigations difficult.

A phisher will gain access to dozens of brokerage accounts and buy a few hundred dollars worth of "penny" stocks, typically those valued under US$1. The thinly traded stocks start to rise in value, and the criminals sell their own holdings on the market, Hallam-Baker said.

The U.S. Federal Bureau of Investigation has probes under way after several banks alerted the agency to this fraud, said Scott McGaunn, a special agent who investigates computer crimes.