Cybercrime stories

[Al-khiyal]

Russian gang hijacks computers in new form of attack

August 6, 2008 -- A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords and do other forms of damage, according to computer security investigators.

Several security experts say that although attacks against network administrators are not new, the systematic use of administrative software to spread malicious software has not been widely seen until now.

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta.

Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet. The program was running at a commercial Internet hosting computer center in Wisconsin.

Stewart alerted a U.S. law enforcement agency that he declined to identify, and he said that it was investigating the matter.

Although the original command program was shut down, the gang immediately reconstituted the system, he said, moving the control program to another computer in the Ukraine, beyond the reach of law enforcement in the United States.

The system infects PCs with a program known as Coreflood that records keystrokes and steals other information. The network of infected computers collected as much as 500 gigabytes of data in a little more than a year and sent it back to the Wisconsin computer center, Stewart said.

One of the unique aspects of the malicious software is that it captures screen information in addition to passwords, according to Mark Seiden, a veteran computer security engineer. That makes it possible for gang members to see information like bank balances without having to log in to stolen accounts.

Stewart's discoveries are evidence that while the botnet problem is now well understood, botnets are still a widespread threat.

"The rate of infection is still high, but concern among corporations is low," said Rick Wesson, a botnet investigator at Support Intelligence, a security consulting firm in San Francisco.

"Many corporations seem to think it's O.K. to be infected several times a month."

Stewart and other computer security investigators have previously described the activities of the gang that uses the Coreflood program.

But Stewart plans to offer new details about the gang, which has operated with impunity for several years, at the Black Hat Briefings computer security conference that begins Thursday in Las Vegas.

As part of his investigation, Stewart charted the rate of computer infections at a state police agency and a large hotel chain. Both were victims of an outbreak that began after the gang obtained the password and login information of their network administrators. In both cases hundreds or thousands of computers were infected within minutes or hours.

Stewart would not name the organizations because of the continuing law enforcement investigation.

In these examples as well as a range of others, the gang infected a machine belonging to an administrator and then used Microsoft administrative tools to infect all the computers for which that person had responsibility, Stewart said.

The new attack is a byproduct of the way modern computer networks are administered, where authority is centralized and software updates for thousands of machines are automated.

"The great thing about this system is that from one computer it is possible to push out updates to all machines in a corporate network at once," Stewart said. "This is a useful tool that Microsoft has provided. However, the bad guys said, 'We'll just use it to roll out our Trojan to every machine in the network."'

A Microsoft spokesman declined to comment on the attacks.

Stewart said that the gang behind the Coreflood program was responsible for 378,000 infections over 16 months. In each case the infected computer would capture and transmit personal information to a centralized database that kept track of the "spies" in the network.

In his Black Hat presentation, Stewart plans to say that he believes the Russian gang was behind a successful theft of money from the bank account of a Miami businessman, Joe Lopez.

In April 2004, someone made an unauthorized wire transfer of $90,348 from Lopez's account with Bank of America to Parex Bank in Riga, Latvia. Of that amount, $20,000 was successfully withdrawn by a person using a false identity. The Coreflood program was found on Lopez's computer.

After discovering the control program in Wisconsin, Stewart tracked the online activities of some gang members in a Russian city that he declined to identify because of the investigation.

He said translations of some entries on the blogging site LiveJournal had led him to believe that one member of the gang had died, but that others remained active. He said that he had provided investigators with a wealth of information about the group from members' online discussions and other material he had collected.

"If the Russians are sincerely interested in tracking these guys down, I think it's possible," he said.

[Al-khiyal]

Alleged MySpace hoaxer on trial today

November 19, 2008 -- Opening statements could begin as early as this afternoon in a potentially landmark trial of a suburban mother accused of organizing an online hoax that ended in the suicide of her teenage neighbor.

Prosecutors say Lori Drew, 49, along with her daughter and assistant, used the social networking Web site MySpace to trick and torment Megan Meier, an insecure 13-year-old girl who lived down the street in Dardenne Prairie, Missouri.

Drew and others allegedly pretended to be a 16-year-old boy named Josh, who during several weeks, befriended, flirted with and ultimately rejected Megan.

After the story first appeared in a local paper, the case generated headlines around the world and led to threats against Drew and her family. But the trial, in federal court in Los Angeles, will focus not on whether Drew caused Megan to commit suicide, but on a seemingly more mundane issue: whether Drew violated MySpace's terms of service in order to inflict emotional distress on Megan.

Drew has been charged with conspiracy and three counts of unauthorized access to protected computers; each charge carries a maximum five-year prison term. She has pleaded not guilty and, if convicted, will likely face a lower sentence under federal guidelines.

The case is believed to be one of the first of its kind to use the statute barring unauthorized access to computers, which has previously been used to combat computer hacking, to address so-called cyberbullying. Drew's lawyers and outside legal experts have argued that the unusual prosecution, if successful, could broaden the scope of what's considered criminal conduct on the Internet.

"It seems this is advancing arguments that are a dangerous expansion of the law," said Paul Ohm, a former attorney with the Department of Justice's Computer Crime and Intellectual Property Section who now teaches at the University of Colorado. "When you think of computer hacking, you think of picking virtual locks. But when we're talking about violating the terms of service, we're no longer talking about breaking a lock, just about breaking a rule that you probably didn't know existed."

A conviction "will really strengthen the Department of Justice's hand to go after all sorts of conduct they don't go after today. It could open doors to all sorts of prosecutions that we wouldn't imagine today," said Ohm, who signed a friend of the court brief asking for the case to be dismissed.

According to prosecutors, for several years, the Meiers and the Drews were friendly. Both families had girls the same age who attended school together and had gone on family trips together.

Megan's mother, Tina Meier, reportedly told Drew that Megan was suffering from depression, that she was "vulnerable" and that she worried her daughter might try to hurt herself.

But the relationship between the girls was "at times, rocky," prosecutors say. The pair drifted apart and, in 2006, Drew suspected that Megan was spreading rumors about her daughter. Prosecutors say Drew, her daughter and her 18-year-old assistant, Ashley Grills, set up a fake MySpace account in the name of Josh Evans, an attractive 16-year-old boy who was new in town, to spy on Megan.

They allegedly used the Josh Evans account to contact and befriend Megan. Within a few days, prosecutors allege, Drew encouraged her daughter and Grills to flirt with Megan and planned to lure the teenager to the mall to confront her with the hoax and taunt her, prosecutors say.

In October 2006, another neighborhood girl obtained the password to the Josh account and sent Megan a message saying that Josh no longer wanted to be her friend. The next day, the argument escalated until Grills, posing as Josh, told Megan the world would be a better place without her in it.

About 20 minutes later, Tina Meier found her daughter hanging from her belt in her bedroom closet. She died at the hospital the next day.

Grills said during an interview with "Good Morning America" she wrote that final message in an effort to end the online relationship with Josh because she felt the joke had gone too far.

Drew has previously denied involvement in the hoax, saying she didn't know about the mean messages being sent to Megan, and her attorney Dean Steward told The Associated Press that part of Drew's defense would be that she was not at home when the final message was sent.

Her daughter, whose name is being withheld because of privacy concerns, and Grills have not been charged

Prosecutors claim that after Drew learned what had happened, she told her daughter and Grills to delete the MySpace account and told the girl who said that Josh no longer wanted to be Megan's friend to "keep her mouth shut." At one point, after admitting she had told others to take down the MySpace page, Drew allegedly said, "It's not like I pulled the trigger," prosecutors say.

When Megan's parents learned of Drew's alleged involvement, they contacted the police and the FBI. Local and federal prosecutors in Missouri investigated but never charged Drew, concluding that no crime had been committed, according to court records. Federal prosecutors in Los Angeles, where MySpace's computer servers are located, took the case to a grand jury, which indicted Drew in May.

Jury selection began Tuesday. Judge George Wu ruled last week that prosecutors could present evidence of Megan's suicide, though he reportedly said that he would tell the jury to focus on whether Drew violated the MySpace terms of service. The terms of service bar fraud, harassment or using information from MySpace to "harass, abuse or harm another person."

Some observers say that allowing prosecutors to present the evidence of Megan's suicide raises the possibility that the case, at least in the minds of jurors, will become more about the human drama of a teenage girl's death than about the legal issues involved.

"Once the suicide horse is out of the barn it's hard to tell jurors to ignore that," said Joseph DeMarco, a former federal prosecutor. "In a case like this, where the underlying acts seem to be innocent in and of themselves, the inflammatory word 'suicide' might have disproportionate impact."

Though the prosecution has been criticized, prosecutors say the case will not mean that anyone who violates a Web site's terms of service will face criminal charges because prosecutors must still prove that a person acted with criminal intent.

[Al-khiyal]

First 'cyber-bully' trial opens

November 21, 2008 -- A housewife who created a phoney MySpace account to send hostile emails to a neighbour's 13-year-old daughter appeared in court yesterday charged with "cyber-bullying" that prompted the girl's suicide.

Lori Drew is accused of posing as a fictitious 16-year-old boy called "Josh Evans" in a plot to befriend and later send taunting messages to Megan Meier, a vulnerable girl with a history of depression who was being bullied at school. Ms Drew set out to "tease, embarrass, humiliate, make fun of and hurt" the "suicidal and boy-crazy" girl, said prosecutors, using the social networking site to tell Megan that "the world would be a better place" without her.

Megan replied, telling "Evans" that he was "the kind of boy a girl would kill herself over", then hanged herself with a belt, in an upstairs room of her family home in the small town of O'Fallon, Missouri, the jury heard.

In a landmark case, the first "cyber-bullying" prosecution in the US, Ms Drew, 49, faces one count of conspiracy and three counts of computer fraud, which each carry a maximum of five years in prison.

She sat expressionless in court on Wednesday as Megan's mother, Tina, recalled how her daughter, who was taking medication for attention deficit disorder, had apparently been befriended by a boy online in September 2006.

A month later, during a visit with her younger daughter to the orthodontist, Tina Meier told the jury how she had called home to see how Megan was doing, and discovered her in tears, because "Josh" and two other girls were "saying mean things about her".

Later that day, Mrs Meier asked Megan to show her the messages, and then scolded her for being online without a parent present. "The last words she said to me were, 'You are supposed to be my mom; you are supposed to be on my side'," she said.

Soon afterwards, Mrs Meier heard a commotion upstairs and discovered Megan had hanged herself in a wardrobe. She screamed for her husband, who used a knife to cut his daughter down. But it was too late: Megan died in hospital the following day.

Ms Drew, who lived nearby, has been accused of using a fake MySpace account to find out whether Megan had been spreading false rumours about her daughter, Sarah, who attended the same school.

Another witness, Susan Prouty, who manages an interior design shop and did business with Ms Drew's magazine coupon firm, testified that the defendant had told of her plan to print out a thread of flirtatious messages to take to Megan's school.

Ms Drew said the idea was to "humiliate her", claimed Ms Prouty. She justified the plot on the basis that, "As a mother, you have to protect your daughter".

The case revolves around charges that Ms Drew lied on the fake MySpace profile, violating the site's terms of service which require users to provide "truthful and accurate" registration information. The case is being heard at a federal court in Los Angeles because Fox Interactive, the owner of MySpace is based in nearby Beverly Hills.

Ms Drew's attorney, H Dean Steward, fought unsuccessfully to have the charges thrown out before trial, arguing that people routinely create fake identities on the internet without fear of prosecution. He also tried, and failed, to ban prosecutors from mentioning Megan's death on grounds that it might prejudice the jury.

Much of the trial will revolve around technical aspects of social networking. Ms Drew claims she was not at home when the fateful, final message was sent, and – while she admits to knowing about the Myspace account – blames her daughter Sarah, and several friends, for sending the hostile messages.

"There are two sides to every story," said Mr Steward, who asked jurors not to let emotions cloud their judgement, and to remember that, "this is a computer abuse and fraud case, not a homicide case".

The trial continues.

[Al-khiyal]

Mother accused of cyber-bullying faces year in prison and $300,000 fine

November 27, 2008 -- A woman accused of creating a fictitious persona on MySpace to bully a 13-year-old neighbour who then took her own life, was acquitted yesterday on the most serious charge that she had accessed a computer without authorisation in order to inflict emotional distress.

But Lori Drew, 49, was convicted on three lesser misdemeanour crimes of accessing a computer without authorisation. She faces up to one year in prison and a fine of $100,000 (£65,233) for each charge.

The trial, thought to be the first one for cyber-bullying in the US, stemmed from the 2006 suicide of Megan Meier, 13, at her home in the St Louis suburb of Dardenne Prairie, Missouri. Megan hanged herself after receiving a message on MySpace from a boy she had befriended named Josh Evans. But Evans was a fake, created by Drew, her daughter Sarah, 13, and Ashley Grills, 18, one of Drew's employees.

Calling the outcome "a compromise verdict", Drew's lawyer Dean Steward said: "The US attorney's office never should have brought this case, and I think that was the message from the jury."

The message at the root of the case was sent by Megan to Grills. In it, she suggested that Drew's daughter was ugly and a lesbian.

Angered that Megan had been "spreading lies" about her daughter, and eager to "expose" her, Lori Drew together with Grills and Drew's daughter concocted a plan to humiliate Megan and to find out what else she was saying online.

They came up with 16-year-old "Josh Evans", who had recently moved to the area. They created a MySpace profile for the fictitious boy, and even included a picture of the tousle-haired "Evans" posing bare-chested. Megan, a young, impressionable girl prone to depression, was hooked.

The two began to exchange messages. At one point, said Grills, Drew suggested arranging for the boy to meet Megan at a local shopping mall. Grills, Drew and her daughter Sarah would then "pop out" and tease Megan.

But what may have started as a prank soon turned sinister. Possibly motivated by a desire to end the deception, Grills sent Megan a final message from Josh on October 16 2006. It told her that "the world would be a better place without you" and urged her to "have a [lousy] rest of your life". Megan's response was poignant in the extreme. "You are the kind of boy a girl would kill herself over," she allegedly wrote. Shortly afterwards, she hanged herself.

Prosecutors sought to portray Drew, whose daughter had been a classmate of Megan and who lived nearby, as the mastermind of the plot.

"The defendant knew that she was dealing with a troubled little girl who was extremely fragile, and yet she did it anyway," prosecutor Mark Krause told the court. "It went beyond a simple prank to get her so hooked on this young man that she would be crushed when she found out he didn't exist."

Megan's mother, Tina, testified that her daughter was taking medication for depression and had tried to take her life before.

Krause argued that Drew bragged about the scheme, and continued to talk about her involvement after Megan's death. He cited the testimony of hairdresser Dawn Chu, who told the court that Drew had come into her salon on the day of Megan's wake. When Chu asked her why she was going to the wake given the allegations against her, Drew said: "It's not like I pulled the trigger."

Thomas O'Brien, the prosecutor in Los Angeles who brought the case after prosecutors in Missouri decided there was no law under which Drew could be charged in her home state, pursued the theme of Drew's disregard for Megan in presenting his closing argument before the jury.

"Folks, that's Josh Evans right there," O'Brien told the court. "Lori Drew decided to humiliate a child. The only way she could harm this pretty little girl was with a computer." But the defence attempted to bring jurors' minds back to the legal basis for the prosecution.

"If you hadn't heard the indictment read to you, you'd think this was a homicide case," Steward said. "And it's not a homicide case. This, ladies and gentlemen, is a computer case, and that's what you need to decide."

Drew was charged under the computer use and fraud act with one count of conspiracy and three counts of accessing computers without authorisation. The act is typically used to prosecute hacking or trademark theft cases. But prosecutors decided to charge Drew on the basis that she had violated the terms of MySpace's user agreement, which prohibits the use of false names, the harassment of other users and the soliciting of personal information from minors.

But some observers are concerned that application of the case to an instance of cyber-bullying could have broad ramifications, leaving whistle-blowers, for example, open to prosecution for violating online terms of service.

The concern that the law could be applied too broadly and harm those it is intended to protect was voiced by Steward.

"Nobody reads these things, nobody," he said. "How can you violate something when you haven't even read it? End of case. The case is over."

[Al-khiyal]

Social networking is next for cybercrime, claims guru

December 16, 2008 -- Cybercrime is likely to move into the social networking world, taking advantage of sites such as Facebook and MySpace, says New Zealand encryption guru Peter Gutmann.

"I would assume internet crime will migrate to social networking sites in the future," says Gutmann, who also develops encryption toolkits and researches the usability of security software.

Social networking sites are incredibly powerful virus platforms in that they allow developers to write specific applications for them, which spread in a viral manner.

If these applications were not on a site such as Facebook, they would be considered incredibly fast-spreading viruses, he says.

To date, developers have written social networking applications only experimentally, but Gutmann thinks these platforms will be targeted more heavily in the future. "For some unfathomable reason the bad guys haven't exploited [social networking sites] yet, and I don't know why - it is so easy," he says.

Finding stolen credit card numbers, phone numbers and other personal information is a matter of 10 seconds of searching Google, he says. "It is frighteningly easy to find information - it is not rocket science," he says.

Another thing about these sites is that personal information, posted by users, will be there for ever.

"People put out heaps of personal information, not thinking about how it can be used against them," says Gutmann.

To some extent, cyber crooks are already using social networking sites to launch so called spear-fishing attacks, says Gutmann. By getting names, addresses and other information from, for example, job placement agencies, cyber-criminals can send targeted phishing letters from your bank, and basically "leapfrog and attack from one site to another", he says.

Gutmann, an honorary research fellow of University of Auckland's Department of Computer Science, is passionately involved in making encryption more useable for everyday people. Anybody can get strong encryption off the internet these days, but the availability of strong encryption does not have a huge effect on stopping cybercrime, he says. It's so hard to use, nobody wants to use it, he says.

In his spare time, he researches the usability of security software, which is typically written by geeks, for geeks, he says. "Unless you are a hardcore geek, you've got no hope of understanding it," he says.

Gutmann looks at how people interact with security software and how it can be made easier to understand, but he also investigates if "the masses" really need to, or want to, understand encryption.

[Al-khiyal]

"...According to the statistics compiled in the report, men prove to be the most gullible..."

New figures show cyber crime on the rise

March 30, 2009 -- The cat and mouse game between international law enforcers and technology-savvy criminals perpetrating scams on the internet continues to rage around the world, with the latest figures showing the number of victims and the amount of money they lose is on the rise.

A report analysing internet crime in 2008, put out by a U.S.-based alliance of experts including the FBI, finds that the number of complaints from victims of cyber crime rose by almost a third since 2007. The total number reached 275,284, amounting to $265m (£187m) in money lost.

The year's most popular scam involved goods being bought on the internet and simply not delivered. Other top ruses included the fleecing of individuals through fraudulent auctions on eBay and other auction websites, credit and debit card fraud and the ever-ubiquitous Nigerian confidence trick.

The report was compiled the Internet Crime Complaint Centre, a partnership of the FBI and the National White Collar Crime Centre. It helps law agencies keep up with the ever-morphing world of cyber crime, where new scams arise and transform at lightning speed.

The U.S. is both home to, and victim of, the lion's share of fraud.

Two out of every three of the recorded perpetrators of the crimes came from America and 93% of complainants.

They tended to come from the west and east coasts, as well as Texas and Florida, where internet sophistication is proportionately concentrated.

Internationally, the UK came second in the league table of perpetrators, with 10% registered there. The relative prevalence of the UK might be also a reflection of the high concentration of tech-savvy people there, though several scams also use London as a half-way house from which to contact and meet their victims.

According to the statistics compiled in the report, men prove to be the most gullible - with 55% of the victims being male, and nearly half aged 30 to 50. Men also tended to lose more money to scam-artists than women in a ratio of $1.69 lost per male to every $1 lost per female - though that may be more a reflection of the relative cost of the goods men buy on the web.

The median figure for the amount of money lost by each victim was almost $1,000, underlining the pain that falling for such tricks can cause.

Overall, law enforcers will be disappointed that the gradual decline in complaints that had been seen in the past two years, down to 206,884, has now been reversed. But experts insist they remain by a raft of new tricks, including an audacious scam which involved putting out fraudulent emails under the name of the FBI itself.

The famous Nigerian scam has also been fine-tuned, with the criminals now hacking into an individual's email account and then using it to make unauthorised appeals for financial information to victims.

Leslie Hoppey, an FBI cyber crime expert, said this sort of fraud would always be around. "But people can protect themselves through basic guidelines: don't respond to unsolicited emails, be sceptical of individuals representing themselves as officials, and don't click on links."

[Al-khiyal]