FBI on trail of e-mail fraud

Scheme: Criminals and terrorists reach for your wallet through a barrage of computer messages and an Internet scam known as "phishing."

February 13, 2004|By Laura Sullivan | Laura Sullivan,SUN NATIONAL STAFF

WASHINGTON - Sitting at his home in Virginia Beach, Joe Yuhasz almost reached for his wallet when an e-mail message popped into his inbox and told him America Online needed to verify his credit card information.

The site linked to the e-mail looked identical to AOL's billing center, until Yuhasz noticed that the domain name was a fake - a scam commonly known as "phishing." Most people recognizing a possible fraud would have deleted the message and moved on. But Yuhasz, a cybercrime specialist for the FBI, had other plans.

The ensuing investigation led to the conviction of two people, the last of whom was sentenced three weeks ago to four years in prison, and netted hundreds of stolen credit card numbers from across the country.

A growing problem

This type of scheme, which tricks people through fake Web sites and sob stories into giving up their credit card and bank numbers, is threatening to swamp the bureau's Internet crime center with the volume of attacks.

And while the scams were once the product of a few small-time hackers or anti-establishment loners in the United States, FBI officials and computer experts are seeing growing signs that the culprits are members of organized crime and terrorist support groups, almost all of whom are working from abroad.

"It has been significantly increasing month after month," says Dan Larkin, chief of the FBI's Internet Crime Complaint Center. "United States citizens and businesses are very attractive targets for the world. We're getting clobbered."

The e-mail, which asks people to "update" their personal information - Social Security numbers, dates of birth, passwords and the like - or tells a well-concocted tale meant to trick people into divulging their credit card and bank account numbers, comprises more than half of the 15,000 monthly citizen complaints filed to the FBI's Internet crime center.

The fraud schemes have become the single most prevalent crime on the Internet, experts say, and they have become markedly more sophisticated over the past few months.

FBI officials suspect the scammers' growing skill is a sign not of a learning curve but of the introduction of more savvy and experienced criminals into the fraud schemes. Officials believe crime syndicates - especially in Russia and the former Soviet bloc - have begun to realize how much money they can make with little or no overhead.

They say terrorist sympathizers, possibly operating out of Africa and the Middle East, have also begun using phishing schemes to steal identities and make fast cash after being shut out by counterterrorism measures from their traditional avenues of funding, such as bogus charities.

"There is so much money being made off these schemes," Larkin says. "There's a lot more thought going into them and to keeping law enforcement at arm's length."

In December, Tumbleweed Communications, a 5-month-old anti-phishing consortium in Redwood, Calif., clocked more than 60 million phishing schemes sent out via e-mail - the highest monthly total.

The problem, though, is not just that there are more messages coming, but that more people are falling for them.

Dan Maier, senior program marketer for Tumbleweed, says that a year ago, phishers could be easily spotted by their poor English and bad logo designs.

One well-known example was an e-mail purportedly from Citibank written in what Maier's team calls "Russian English." Now, phishers seem to have mastered the proper grammar and lingo, usually stolen from actual company messages, as well as detailed graphics that, for example, warn customers of a "fraud alert: please confirm your account."

While only .01 percent of all computer users respond to regular spam, up to 5 percent of phishing recipients message back.

"They're playing on the trust people already have in their banks, their [Internet service providers], eBay," Maier says. "They hijack the brand because people trust the brand. They trust e-mails they get from their bank."

Until recently, there has been little that law enforcement could do to catch phishers abroad. Most host countries have had little interest in devoting resources to stopping the elusive practice, which moves quickly from Internet cafe to Internet cafe and country to country.

One criminal can send a million e-mail messages within minutes with a single list - and many of the e-mails now contain electronic "trap doors" that allow phishers access to company or personal e-mail lists containing hundreds of thousands more names.

"They believe the United States law enforcement is too far away and that their transactions are too well concealed for them to actually be caught," Larkin says.

Cracking down

FBI officials have recently made headway in Ghana and Nigeria, where a team of investigators touring last summer stumbled upon dozens of open-air markets selling long lines of stolen goods, high-end electronics and luxury items from the United States, bought with stolen credit card numbers.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.