WHAT IS THE PROBLEM?
The Internet is overwhelmingly a power for good. It provides cheap and easy access every moment of every day to a vast reservoir of information and entertainment and it is transforming the nature of commerce and Government. However, with approximately one billion users worldwide accessing almost 75 million Web sites, there is bound to be some offensive, and even illegal, use of the Net.
There is a dark side to the Internet. It would be naïve to deny it and alarmist to exaggerate it.
The “British Journal of Criminology” (volume 38, Oxford University Press) contains an article called “Net Crime” by professional criminologist Mike Sutton and IT expert David Mann which claims that people are “more likely to engage in criminal behaviour online than they are in the physical world”.
Crime on the Net takes many forms including hacking, viruses, fraud, scams, money laundering, industrial espionage, prostitution, certain forms of gambling, drug use, drug smuggling, suicide assistance, defamatory allegations, cyber stalking, cyber terrorism, actual terrorism.
WHAT ARE THE CATEGORIES OF CYBERCRIME?
Hacking can take several forms:
Some Internet users think that hacking is pretty harmless fun and even quite clever [for examples, see note 1], but it can be a serious invasion of privacy and a significant threat to e-commerce. The Information Security Advisory Group estimates that world-wide there are now some 100,000 hackers or crackers (as they prefer to describe themselves). White-hat hackers test computer security at the request of organisations; black-hat hackers act privately to break into systems; and grey-hat hackers straddle both worlds.
The hacking of personal computer terminals is actually quite easy because most people use Microsoft software which is notoriously open to abuse. Hackers have developed a program called “The Backdoor” which provides them access to systems running Microsoft Windows. At its most invasive, this would allow a hacker to switch on remotely a microphone or webcam associated with the PC being hacked.
Company computer systems are usually more difficult to hack because they employ protective arrangements such as firewalls. The most serious threats faced by organisations are from insiders or former insiders who have privileged information such as passwords.
The most infamous group of hackers – operating since 1994 – is an American team which calls itself “The Cult of the Dead Cow” (CDC). Perhaps the best-known individual hacker is Kevin Mitnick who served five years for five fraud offences related to breaking into the computer systems of several multinational companies including Sub Microsystems and Motorola.
One of the most serious hacking incidents of recent times occurred in February 2000 when distributed ‘denial of service’ attacks brought down the sites of Yahoo!, CNN, eBay, Buy.com, Amazon, E*Trade, Datek & ZDNet. Subsequently the culprit was found to be a Canadian teenager living in Montreal who was only 15 at the time. He hacked into 75 computers in 52 different networks which he then used to attack 11 Internet sites. Mafiaboy - as he was dubbed - was eventually sentenced to an eight-month sentence in a Canadian detention centre.
The biggest military computer hacker of all time is said to be a 36 year unemployed computer programmer from north London, Gary McKinnon, who used the handle Solo. He was arrested in March 2002 as a result of allegedly hacking into 92 computer networks operated by NASA and the US military (including two break-ins at the Pentagon). He has been charged with eight counts of computer fraud and causing damage estimated at nearly $1M.
While much hacking is done for so-called 'fun', other forms of hacking are done for more mercenary reasons, especially the obtaining and sale of credit card details. Where on-line trading is concerned, it is not the connection which is particularly insecure but the database which can be hacked into by those with specialist knowledge and criminal intent. Currently the credit card trading centre of the world is St Petersburg in Russia; the buyers tend to be from the Far East; and the victims live predominately in the USA and Europe.
In the UK, following attempts by a hacker to tap into its mailing system, Virgin Net was forced to require some 170,000 of its 800,000 customers to change their passwords. Working from his bedroom on a £700 PC, a Welsh teenager called Raphael Gray manged to hack e-commerce sites to obtain credit card details of some 25,000 Internet shoppers before he was apprehended.
In the US, CD Universe refused to pay the $100,000 blackmail demand of a hacker – thought to be from Eastern Europe – who had obtained credit card details of 300,000 of the company’s customers, so the hacker posted 25,000 credit card files on the Internet and claimed to have used the details already to obtain money. Another US-based company which has been threatened by a hacker was Bloomberg. The company pretended to be willing to pay the hacker – who was based in Kazakhstan – and arranged a meeting in London where two individuals were arrested.
Western Union closed its web site for five days in September 2001 after a security breach saw hackers access 15,000 records containing credit and debit card details. In February 2003, a hacker gained access to the credit card details of more than 8M Mastercard, Visa, American Express and Discover holders in the US by gaining access to the systems of an undisclosed third party company which processes retailers' payments.
Link: Cult of the Dead Cow click here
Viruses, in the broadest sense, come in three forms:
The most prolific virus ever is Klez and MessageLabs estimates that one in every 300 e-mails sent today contains a variation of the Klez virus. However, it is believed that there are around 20,000 different computer viruses in existence, many of them placed on the Internet deliberately to cause confusion or damage.
The threat of new, self-propagating viruses is growing. Melissa, ExploreZip and Ska-Happy99 forward themselves by hijacking a computer’s e-mail program which gives them the potential to attack globally in days. The Melissa virus – originated by David Smith in March 1999 and named after one of his favourite strippers – is believed to have cost businesses world-wide an estimated $385 million in damage to their systems. It led to Smith receiving 20 months in prison and a $5,000 fine. The infamous Love Bug virus of 2000 infected 45 million people in a single day and went on to cause a staggering $8.75 billion in damage. In 2001, we had the SirCam virus which, although more irritating than dangerous, still caused businesses $1.15 billion in damage.
So far, the worst month for viruses has been August 2003. First, Blaster.B (also known as MSBlast) emerged, crashing systems such as that of Air Canada (a couple of weeks later, the FBI arrested an 18 year old American for creating the virus). Then SoBig F arrived which was so prolific that, at its peak, it affected one in every 15 e-mails across the world. Among many systems affected was that of the American railway network which as a result suffered widespread delays.
Ironically not all virus warnings relate to actual viruses because, for some reason, there are many hoaxes. Therefore, before passing on a warning of a virus, it is always sensible to check first if the virus is a hoax or not.
Link: Virus myths click here
Digital technology makes it very easy to copy perfectly creative products such as music or films and the Internet provides a free and almost anonymous means of transmitting or exchanging this pirated material around the world. The favoured means of making such material available is peer-to-peer file-sharing applications. Originally the main problem was with music in the form of MP3 files exchanged through sites such as Napster. Now, with the growing availability of broadband connections, the provision of full-length movies can take place in an hour or two through sites such as Movie88.com based in Taiwan.
On the music front, some artists are now trying to make it impossible to play new CDs on a PC and therefore make them hard to copy. The Celine Dion CD "A New Day Has Come" has on it the label "Will not play on PC/MAC". On the film front, the Motion Picture Association of America (MPAA) has moved to close sites like Movies88.com.
Illegal trading on the Internet uses chatrooms, bulletin boards, newsgroups and Web sites. The arrangements can take various forms:
Brand Intelligence is an Edinburgh-based company employed by businesses to see how their names or brands are being used or abused online. The company uses 'deep searching' techniques to track every part of the Internet except e-mail and instant messenging. Investigations can be complex: goods may be shipped several times before they reach their destination, Web sites offering such goods may be moved frequently, sites may be hidden from search engines using 'robot.txt' files, payments may be to banks in other countries. So it is a technological battle between the illegal traders and the brand owners.
One of the most common types of fraud on the Internet is designed to trick users of certain sites - notably banks and building socities - into disclosing their passwords or other confidential information needed to access their accounts. A common means of doing this is to e-mail customers advising that it is necesary to check or confirm their password by clicking onto a realistic but fake website and then inputting the confidential information. It is then possible for money to be fraudulently transferred from the individual's account.
In the Autumn of 2003, this type of fraud was perpetrated against UK customers of Barclays, Nat West, Lloyds TSB, Citibank, Halifax and Nationwide. In fact, no bank of financial institution would ever ask a customer to disclose confidential information in this way.
Another type of fraud – which fortunately is not common because of the expert knowledge required – is called 'packet reading'. This involves hackers locating patterns of data, such as credit card digits, intercepting and copying them.
Another practice – known as ‘cramming’ – involves charging a customer for extra services on top of a service for which they have signed up. A well-known case of this kind involved the company Xpics which ran a network that included a variety of pornography sites and offered a free trial membership on the provision of credit card details allegedly to prove that the customer was over 18. Cancelling the subscription then proved horrendously difficult.
A much more common type of fraud relates to on-line auction trading. This involves a registered seller on an established Web site building up a reputation, then listing for auction items which he does not possess, and finally vanishing with the winning bidders’ payments.
In August 2000, it was reported that US authorities were investigating a credit card fraud at Flooz.com , one of the best known purveyors of an on-line currency. It was believed that the company had been defrauded of some $300,000 by a ring of credit card thieves operating out of Russia and other parts of Eastern Europe.
In the United States – where currently most on-line shopping takes place – the National Consumers League runs an Internet Fraud Watch which in 1999 recorded a 38% increase in complaints, with a total consumer loss of $3.2 million. The number one Internet fraud – representing 87% of all reports – was online auction sales, followed by non-action sales of general merchandise, Internet access services, computer equipment/software, and work-at-home plans.
PricewaterhouseCoopers believes that fraudulent e-commerce transactions make up half the annual fraud total in the United States. Concern by banks about on-line fraud is leading to work on improved security for credit card transactions. Particular attention is being devoted to combating the use of programs, which can be downloaded from the Internet, that can make ‘valid’ credit card numbers from an algorithm. If these numbers are then used for small virtual purchases, such as access to pornographic sites, there is a fair chance that the transactions will not be checked. Currently the safest sites for e-commerce transactions are those that use Secure Sockets Layer (SSL). In the next couple of years, extra security will come from “smart” cards with microchips embedded in them.
Link: Internet Fraud Complaint Centre in USA click here
Many Web sites do not actually provide what they seem to offer. Consider for instance the Ticket To Heaven site which offers a place with God for a mere $15 [click here].
A typical Internet scam is to put up a bogus Web site which is just a front for criminal activity. Only slightly more sophisticated is the ‘get rich quick’ site. This offers grants or payments in return for credit card or bank account details.
'Phishing' - also called 'carding' - is a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information.
One of the biggest scams, which originated off-line, has now been on the Internet for years and continues to be prolific. It is called the "Nigerian 419" scam after the section of the Nigerian criminal code which oulaws 'advance fee' scams. It is organised by criminals in Nigeria - or, more latterly, Gabon, Botswana or South Africa - who pretend that an enormous sum of money (anything up to $80M) is ‘surplus’ to a public contracts account or available following some compensation arrangement and that the recipient of the communication can earn some 20% of this sum (up to $16M) by secretly providing details of an available bank account. The transaction is frequently described as “risk free”.
It is such an audacious trick that I would not necessarily have believed that it existed and that people fell for it had I not personally received the “request” by e-mail many times from a variety of countries [for typical text, see note 2] and learned that, in the UK alone, in 2002 150 victims lost an average of £57,000 each making a total loss of £8.4 million. The West African Organised Crime Section (WAOCS) of the National Criminal Intelligence Service (NCIS) leads the opposition to the fraud, but individuals receiving approaches should report the details to the fraud squad of their local police force [click here]. Recipients of such e-mails should never respond, even to express anger or opposition - this simply indicates that one's e-mail address is valid and active which, in itself, is useful information to criminals.
Department of Trade & Industry consumer guide to scams click here
UK Metropolitan Police advice click here
UK site of the National Criminal Intelligence Service click here
The 419 Coalition Web site click here
American site on Nigerian frauds click here
The Italian policy believe that the Sicilian Mafia is laundering vast sums of money in cyberspace by its use of on-line trading and banking. The police in Palermo have discovered a £330m fraud which involves recycling tainted profits into legitimate assets such as stocks and shares. The global nature of the Internet and money laundering is clear from the information that the money was shunted between an American company incorporated in New Zealand, on to the Cayman Islands, and then to accounts in Israel and Spain. The money was subsequently deposited in Switzerland and carried by hand to banks in Croatia, Romania, Russia, China and Liberia. Some observers believe that it is these vast sums of currency swishing around that destabilised the Euro in its first year of operation.
There can be a problem – although not necessarily a crime – in the accessing over the Internet of unregulated medicines or remedies. For instance, in December 2000 the US “Annals Of Internal Medicine” reported the death of a 55 year old man from internal bleeding following his use of hydrazine sulphate which he had bought over the Net to combat his facial and sinus cancer. This treatment is not available on prescription and can cause blood disorders.
In the UK, thanks to a flaw in the Medicines Act 1968, drugs are being sold over the Internet that can have serious side effects and should only be prescribed after a detailed consultation with a doctor. These drugs include the anti-impotence drug Viagra (sildenafil), the stop-smoking treatment Zyban (bupropion) and the slimming pill Reductil (sibutramine). The Medicines Control Agency (MCA) is trying to regulate the situation.
A company with the innocuous name Direct Response Marketing (DRM) is based on the tiny island of Sark in the English Channel, but operates a number of Web sites selling prescription drugs which are dispensed by a pharmacist in the nearby island of Jersey. The offerings include the slimming pill Xenical (orlistat) and the hair-loss treatment Propecia (finasteride).
Criminality is involved when prescription drugs are improperly obtained via the Internet. In March 2000, 22 people were arrested in Thailand as a result of a joint operation by United States and Thai customs agents against online sales of drugs – including tranquillisers and steroids – mailed to customers overseas, mostly in the USA. Three Web sites were involved in the illegal export of the prescription drugs. In the United States, six arrests were made of people accused of buying drugs from the on-line pharmacies.
In November 1999, a British Internet service provider Kingston Internet Webmaster closed down the Web site of James Hulbert, a 67 year old man from Hull, because the Lord chancellor’s Department complained about material posted on the site which criticised five judges who presided over cases in which Hulbert said that he was denied justice. Following this action, Hulbert transferred the material to a US Web site which shows the difficulty of enforcement in the context of a global network.
In March 2000, the British Internet service provider Demon Internet – now owned by Thus – settled a case of alleged defamatory libel a week before it was due to go to court. The case was brought by Dr Laurence Godfrey, a physicist, and concerned newsgroup postings in January 1997 and July 1998 which Demon did not remove in spite of complaints from Godfrey. Demon agreed to pay him £5,000 for the first libel, £10,000 for the second libel, and an estimated £230,000 in costs.
In May 2002, there was the first case in Britain of someone sucessfully taking action against a defamatory libel posted on the Internet. The action was brought by former teacher Jim Murray against his former pupil Jonathan Spencer (ironically now a teacher himself) in respect of comments posted on the popular Friends Reunited web site. Spencer claimed wrongly that Murray was sacked from his post after "making rude remarks about girls" and "strangling" a pupil, but he failed to attend the hearing at Lincoln County Court and Murray was awarded £1,250 and £150 in costs.
In Ireland, in December 1999 a man was imprisoned for spreading false allegations on the Internet in respect of an innocent teacher. The teacher had been accused of involvement in child sex abuse and child pornography.
In March 2006, a woman who posted false sexual allegations on the Internet about a Parliamentary candidate for the UK Independence Party became the first person in a British court to be sued successfully for libel on the web. Tracy Williams was ordered to pay £10,000 damages to Michael Keith-Smith and issued with a High Court order banning her from further abusing him on any website.
Details of Hulbert case click here
Details of Godfrey case click here
In the UK, the Malicious Communications Act 1988 makes it an offence to send letters with the intent to cause distress or anxiety. Amendments were made to the Act in 2001 to include e-mails and text messages. Of course, a key isue here is traceability, but tracing an e-mail back to its source is usually relatively easy, since all e-mails contain a header - a sequential list of each host that the message has passed through [for more on traceability click here].
Furthermore the Protection from Harassment Act 1998 can be invoked against anyone who engages in persistent harassment in either the physical or the cyber world. The first person in the UK to be charged with cyber stalking was Cambridge graduate Nigel Harris who harassed his ex-girlfriend Clare Dawson following the end of their two-year relationship. Dawson contacted the police when a stream of e-mails because increasingly threatening and Harris was made the subject of a restraining order. Subsequently, a Middlesex Guildhall Crown Court, Harris was found guilty of breaking the order and sentenced to three months in prison.
In another UK case, in March 2001, Donald Ridley pleaded guilty to 25 offences relating to “Internet stalking” and child pornography. He conducted a campaign against a young woman, whom he had met six years previously when she was 17, by setting up a Web site which invited strangers to rape and abuse here. At one point, his victim was receiving around 30 e-mails a day from people who had seen the site and a number even turned up at her home. Ridley was sentenced to seven and a half years in prison.
A third UK case - which came to court in March 2003 - involved a radio listener who hounded a radio presenter with anti-semite e-mails during a six-year campaign of more general harassment. Electrical engineer Philip Norman bombarded Ed Doolan of Birmingham-based BBC WM with around 40 offensive messages. He was jailed for 18 months.
Still another UK case - in May 2003 - involved 50 year old David Cruz in a seven-month campaign against 26 year old Chloe Easton in which he sent anonymous obscene e-mails and text messages and put her details on a prostitutes' web site. He was sent to prison for five months.
Cyberangels click here
Stalking Victims’ Sanctuary click here
In the summer of 1999, hackers thought to be working for Russian intelligence were found to have broken into the systems of the Pentagon. Richard Clarke, head of counter terrorism efforts for the US National Security Council, insists that several nations have developed cyber-warfare capabilities.
In Japan, the Aum Shinrikyo cult – which launched the sarin gas attack that killed 12 people in the Tokyo subway in 1995 – is now suspected of having up to 40 members running five software companies whose clients included the defence, construction, education and posts & telecommunications ministries of the Japanese Government. The fear is that cult members may have installed back door protocols, timed viruses or bugs.
Among the trends noted recently by computer security officials have been an illegal trade in ageing Cray super-computers which are ideal for cracking complex encrypted passwords used to guard major installations and companies. In the hands of a terrorist organisation, such computers could substantially assist a cyber attack on a country or company.
WHAT CAN BE DONE?
In the first instance, Internet users – especially those making purchases on the Web – need to exercise a sense of caution, as they ought to do with any off-line purchases. This included checking the security policy of the Web site and being particularly cautious when dealing with an unknown or new brand. It might be helpful to note that any Web site with an address beginning with “https” is using an encryption technology called Secure Socket Layer (SSL). A new technology which will eventually replace SSL is Secure Electronic Transaction (SET).
In Britain, general advice on e-shopping can be found on the Web site of the Department of Trade & Industry. TrustUK is a joint initiative of the Alliance for Electronic Business and the Consumers’ Association, endorsed by the Government, which accredits on-line codes of practice of associations and organisations and members’ Web sites display an e-mark. Where services like banking, insurance and mortgages are concerned, the new Financial Services Authority may be able to help.
Department of Trade & Industry click here
TrustUK click here
Financial Services Authority click here
In the United States, there are a number of industry-led initiatives designed to give the on-line consumer advice and protection.
Netcheck Commerce Bureau click here
Better Business Bureau click here
Online Privacy Alliance click here
Some excellent work on how crime is likely to change in the future, with particular reference to e-crime, can be found in the work of the Crime Prevention Panel of the UK’s Foresight Programme. The Panel has issued both a consultation paper entitled “Just Around The Corner” and a report entitled “Turning The Corner”. The report calls for the establishment of “a national e-crime strategy” including “the formulation of a specialist hi-tech crime reduction training academy for both law enforcement and business”.
Clearly, in the face of these new technological threats, there needs to be much better co-ordination between law enforcement agencies and other relevant parties. In the UK, there is an Internet Crime Forum which brings together representatives from law enforcement, Government and the Internet industry. It meets quarterly and allocates specific issues for consideration by multi-agency sub-groups.
Link: Internet Crime Forum click here
Of course, the global nature of the Internet is such that many of the initiatives that will be necessary to combat cyber-crime will need to be multi-national and even global.
One important such initiative is the Council of Europe’s Convention on Cybercrime which was adopted in November 2001 [for text click here]. The Convention, which was drawn up with the participation of non-European countries such as the USA, Canada, Japan and South Africa, will be the world’s first international treaty in the field.
Ultimately the prevalence of cyber-crime is bound to lead to the development of cyber-forces within the police and intelligence arms of Government.
In the UK, the Home Office has funded the establishment of a special multi-agency unit to counter criminal activity on the Internet. The new unit is called the National Hi-Tech Crime Unit and comprises representatives from the National Criminal Intelligence Service (NICS), the National Crime Squad, the Association of Chief Police Officers (ACPO) and the Customs & Excise.
The National High-Tech Crime Unit commenced operations in April 2001. Some £25 million has been assigned for the recruitment of up to 40 dedicated investigators based at the Unit itself and at least one dedicated investigator in each of the 43 police forces in England & Wales.
Other associated developments include investment of £37 million in a National Management Information System (NMIS), a ‘data warehouse’ that will allow ’data mining’ of collated and consistent crime information, and £25 million of expenditure for the establishment of a National Technical Assistance Centre for processing lawfully obtained computer communications and encrypted data.
Link: NICS report “Crime On The Information Highways” click here
In the UK, a number of local police forces have set up specialist units to combat computer crime. One of these is the West Yorkshire police force which has established a Telecoms and Computer Crimes Unit.
Link: West Yorkshire unit click here
In the United States, since February 1998 there has been a National Infrastructure Protection Centre (NIPC) located in FBI Headquarters. Now President Clinton believes the risk of cyber terrorism to be sufficiently real to ask the US Congress to approve a $2 billion programme to train a new generation of ‘anti-hackers’. The specialised college where these people will be trained will be called the Institute for Information Infrastructure Protection. Meanwhile, in March 2000 a special Presidential Working Group published its comprehensive report entitled “The Electronic Frontier : The Challenge Of Unlawful Conduct Involving The Use Of The Internet”.
National Infrastructure Protection Centre click here
Working Group report on “The Electronic Frontier” click here
A key skill for any law enforcement agency acting on Internet crime is that of forensic computing. In the UK, a new computer forensics training centre has been set up in Liverpool by the California-based Guidance Software.
Link: Forensic computing site click here
“Anarchy Online: Net Crime” by Charles Platt (HarperPrism, 1996)
"The Internet, Law And Society" edited by Yaman Akdeniz, Clive Walker & David Wall (Longman, 2000), especially Chapters 12,13 & 15
"The Future Of Netcrime Now" by Sheridan Morris (Home Office, December 2004) click here
Last modified on 22 March 2006
“’Hacker’ is a term of honour and respect. It is a term that describes a skill, not an activity, in the same way that ‘doctor’ describes a skill”.
Kevin Mitnick, recently released from prison after serving five years for breaking into the computer systems of several multinational corporations, writing in the “Guardian” on 22 February 2000.
I AM VICTOR ADEBANJO, MEMBER OF COMMITTEE MOVEMENT FOR THE SURVIVAL OF OGONI PEOPLE [MOSOP] RIVER STATE, NIGERIA
It is a great pleasure writing you this mail. I am a member of the movement for the survival of Ogoni people of River-State of Nigeria, as nominee of the committee inaugurated in 1992 by the community to fight against the inadequate compensation by the government of Federal Republic of Nigeria, and some other independent Oil marketing companies e.g. Chevron, Shell and Mobil Producing Oil Companies, in Nigeria.
Day-in-day-out, due to the activities of these Oil Companies, our people have suffered untold hardship, ranging from destruction of our houses, our land is being polluted by waste produced during production and aquatic life is virtually non-existence/threatened to extinction. All these coupled with refusal of the government to compensate our people led to creation of MOSOP. This gruesome killing of our sons among whom is our illustrous son Mr. Ken Saro-Wiwa (author and play write).
However, during the era of the military, all attempt to get adequate settlement/compensation failed for reasons believed to be selfish, as government gets annual right/homage from these oil firm. But with the coming of the present civilian government, my committee presented our case in conjunction with the association of oil producing areas of Nigeria to the government and we were compensated with 13% derivation [thirteen percent of the total oil revenue of the country. Our State has since gotten her share of the compensation, with Ogoni community alone receiving seven-hundred and fifty millions dollars, so after all that has been done and the Ogoni people re-settled in a Virgin Land, there was still left US$80million, unknown to others.
We (committee members) therefore will need you to act as a beneficiary of this fund. As we cannot be seen by our community or the government as having such money, the money is in three box in a security company waiting to be moved. To consummate the transaction will take at least (14) working days as soon as you provide us with your full name,address, telephone and fax number. With this information approval will be secure in your favour.If you wish to help us please reach me back on any of the above email address.
75% for us (Transaction initiators)
20% for you (Beneficiary)
5% for expenses (Local and International)
Thanks for your anticipated co-operation.