header image
Internet Fraud Meets Its Match on Internet
November 6th, 2005 by dm Law & Policy, Phishing none Comments

Education is useful. And tricky. What you want to do is educate people about the dangers of the Internet and how to stay safe, but don’t scare the users from spending time online.

The FBI, Monster Worldwide, the National White Collar Crime Center, the U.S. Postal Inspection Service, Target Corp. and the Merchant Risk Council established LooksTooGoodToBeTrue.com, a Web site containing a variety of educational tools to keep consumers safe from fraudsters.

"In this virtual world, every day is Halloween," said Lee Heath, chief postal inspector at the U.S. Postal Inspection Service, at a press conference. "Cyber-criminals hide behind their masks concealing their identities, holding out an ample bag of tricks and very few treats for legitimate consumers."

The site provides some questionnaires to help users determine whether they are victims of different common types of Internet fraud. Good start, hopefully this site would not turn out to be a one-week story.

[Via InternetNews.com -]

British man jailed for eBay phishing fraud
November 6th, 2005 by dm Phishing none Comments

A British man was sentenced for four years for masterminding an eBay Internet auction scam to steal computer account details from users and assumed their online identities. Levi, 29, led a gang who tricked eBay traders between July 2003 and
2004 into giving away their passwords and account details by sending
emails to them pretending to be from the California-based company.

Levi led six others in a gang which scooped almost $355,000
through a "phishing" fraud–the practice of stealing goods after
tricking computer users into revealing their bank details.

[Via CNET News]

Man arrested over botnet accusations
November 6th, 2005 by dm Spam none Comments

A 20-year-Californian, Ancheta,  accused of using thousands of hijacked computers, or
botnets, to damage systems and send massive amounts of spam across the
Internet was arrested on Thursday in what authorities called the first
such prosecution of its kind.

"Normally what we see in these cases, where people set up these bot
systems to do, say, denial of service attacks, they are not doing it
for profit, they are doing it for bragging rights," he said. "This is
the first case in the nation that we’re aware of where the guy was
using various botnets in order to make money for himself."

Ancheta has been indicted on a 17-count federal indictment that charges
him with conspiracy, attempted transmission of code to a protected
computer, transmission of code to a government computer, accessing a
protected computer to commit fraud and money laundering.

[Via ZDNet UK, UK -]

Did Sony CD Malware Violate US Computer Fraud and Abuse Act?
November 4th, 2005 by dm Forensics, Hacking none Comments

I think it would be a stretch to say that Sony violated CFAA, but I have to admit that in my opinion they come pretty close.

Many readers are well-aware of the scandal of the week in cyberspace - Sony’s stealth digital rights management system which installs automatically (and without any notice to the user) has been likened to rootkits deployed by hackers. In fact, hackers are already taking advantage of the rootkit by using its ability to run software in stealth mode - there are millions of Sony CDs played on [arguably] millions PCs which are potential rootkit hosts.

Can/should Sony be prosecuted under CFAA?

As a threshold issue, because CFAA criminalizes unauthorized access to a computer, we have to look whether Sony’s installation of their DRM software was authorized or not. The EULA says,

As soon as you have agreed to be bound by the terms and conditions of
the EULA, this CD will automatically install a small proprietary
software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is
intended to protect the audio files embodied on the CD, and it may also
facilitate your use of the DIGITAL CONTENT. Once installed, the
SOFTWARE will reside on YOUR COMPUTER until removed or deleted.
However, the SOFTWARE will not be used at any time to collect any
personal information from you, whether stored on YOUR COMPUTER or
otherwise.


Prof. Felten argues that "a rootkit neither protects the audio files nor facilitates use of the content." Additionally, the EULA does not indicate that the users would not be able to download music from the CD onto their iPod (which they are legally allowed to do under copyright law) or that attempting to remove the software would make their computer’s CD drive inaccessible. Also, it is not clear whether the EULA is presented to the user at the point of sale (on the back of the CD) or they are "stuck" with it once they buy the CD, break the seal, and cannot return the opened CD. With all this in mind, a pretty good claim may be made that the EULA is invalid.

Assuming that the EULA is invalid, then Sony’s stealth rootkit installation would clearly be unauthorized access to a computer (all the user is authorizing is the computer to play the music CD.)

18 U.S.C. 1030 (the Computer Fraud and Abuse Act) is the major US statute prohibiting unauthorized access to a computer.

Section 1030(3) criminalizes acts  by anyone who "intentionally, without authorization to access any nonpublic computer
of a department or agency of the United States, accesses such a computer of
that department or agency that is exclusively for the use of the Government
of the United States or, in the case of a computer not exclusively for such
use, is used by or for the Government of the United States and such conduct
affects that use by or for the Government of the United States"

Sony can expect that people play their CDs at work, and from the millions of CDs sold, Sony can reasonably anticipate that at least some portion of these users will be in a department or agency of the United States.


Section 1030(5)(A)(i) criminalizes acts by anyone who "knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer"

Did Sony intend to cause damage by installing the rootkit? It is clear that Sony intended to install the software on the user’s computer, but the intent requirement under CFAA must be towards the damage. In other words, this section requires that Sony intended to cause damage to the user. I’d say Sony wins this one.


Section 1030(5)(A)(ii) criminalizes acts by anyone who "intentionally accesses a protected computer without authorization, and
as a result of such conduct, recklessly causes damage"

Was Sony  reckless in installing the rootkit? Claim is that Sony was reckless in providing for software which causes system instability, insecurity, and cannot be uninstalled. Mark Russinovich, the person who first identified and analyzed the rootkit indicated that "not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall."


Section 1030(5)(A)(ii) criminalizes acts by anyone who "intentionally accesses a protected computer without authorization, and
as a result of such conduct, causes damage"

Can you prove damages to qualify under this section? Although there is great deal of ambiguity as to what can count as damage under CFAA, many people will be able to point to crashed systems, time spent recovering, reinstalling, or patching affected computers. This sounds like damages to me.



In conclusion, I think that the biggest issue is whether the EULA and its [passive] acceptance by the user constitutes "authorization" for CFAA purposes. If the EULA is considered invalid authorization, then there are certainly some sections of the CFAA which may spell trouble for Sony. But this is just my opinion.

Nigeria joins antiscam effort
November 4th, 2005 by dm Scams none Comments

Maybe it is just because of the bad name and publicity that Nigeria received because of the so-called "Nigerian" scams (aka 419 scams) but Nigeria has announced efforts to curb scams originating there.

419 and other Nigerian variants of cybercrime have done unquantifiable
damage to Nigeria’s image and credibility. The government has resolved
to deal a fatal blow to the cybercrime networks operating from Nigeria
and the West African sub-region.

Nuhu Ribadu, the executive chairman of the Economic and Financial Crimes Commission of Nigeria

How is Nigeria going to "deal [the] fatal blow" to cybercrime networks? According to Mr. Ribadu, Nigeria "will  monitor cybercafes and take on a ’significant’ number of cases against such criminals based in Nigeria." I am not sure what is Nigeria’s record on privacy, but this sounds just as an excuse to monitor what Nigerians are doing online and with whom they are communicating. Prosecution of cyberscams is fine, but are there sufficient laws for this? If there are laws, why weren’t they enforced so far, and if there are no laws, why is this not the first step?

[Via CNET News.com, United States -]

 Next entries »