A Web of Fraud

A Web of Fraud

Viruses and worms were just the start. Make way for phishing, spoofing, and spyware.

Many in the IT community have wondered why the internet's bad actors have poured their efforts into penetrating computers and networks but generally refrained from inflicting the worst kinds of damage on those systems. Data erasures are not very common, despite media alarm to the contrary. Entirely disabling a computer is also fairly rare.

Instead, the intruders have concentrated on finding ways to repeat their surreptitious entry on related computers, run processes undetected by users, and work in coordination with other compromised systems.

To be sure, the thrill of the hack is still the motivation for some of the authors of network-borne mischief. But, in recent years, as the internet has become a massive economic world in itself, another readily understood incentive seems obvious: the lure of money.

The waves of viruses, worms, and Trojan-horse insertions that peaked in the fall of 2003 look increasingly like a round of research-and-development for the spyware, phishing exploits, and spam onslaught that has developed since then. That year's infestations have turned out to be the means for transmitting, planting, and managing code used to prey on the unwary.

Crime is not necessarily the objective,
but the unauthorized diversion of usage
data opens doors for the unscrupulous.

Viruses established the ability to override computers' normal functions. Worms explored methods for collecting information normally secure behind a computer's access controls. Trojan-horse code makes possible to activate later some unsuspected action. But these are just the carriers of deeper trouble.

Spyware is a kind of covert software agent installed without a computer's owner suspecting. It sends observations about the computer and its user back to some outside handler. Crime is not necessarily the objective, but the unauthorized diversion of usage data opens doors for the unscrupulous. Any day's worth of navigating the internet is likely to leave at least one of these unseen informers in a computer.

Anti-spyware has joined anti-virus software as a necessary defense on every workstation. Users have many choices among free and paid anti-spyware programs. Lavasoft's Ad-aware SE is available in both free and paid versions. Computer Associates' Pest Control software requires both purchase fee and a paid renewal. SaferNetworking's Spybot S&D is free and compares very favorably with its paid competition.

Spam, the term applied to unwelcome e-mail (taking its name from the ubiquitous canned meat product of World War II), has become a form of sales cold-calling on a scale nobody imagined possible just a few years ago. If one person in 100,000 agrees to buy, then the logic for sending millions of inquiries is quite clear.

Spam is surely more a nuisance than an overtly criminal act, but its effects on the world of the internet are worrisome.

Sending a high volume of automatically generated mail to users or internet service providers denies use of the network to the recipients, satisfying some vindictive need, at least temporarily. But spam, which by numerous estimates has come to account for between 60 and 80 percent of world e-mail traffic, overwhelms a mail readers' ability to focus on trustworthy correspondence. One incautious click (on an attachment or an imbedded link) can release a nasty surprise.

Combating spam takes place on two fronts: network management and workstation defense. Enterprise-level tools include Cisco's Clean Access product and BigFix's Enterprise Suite comprise a range of security measures: patch management (diagnosis and remediation), workstation configuration, detection and isolation of compromised systems, and enforcement of network-wide security policy.

Arizona State University, an early adopter of Clean Access, credits the product with achieving network security compliance in the hard-to-regulate sector of dorm computing without tying down a large number of IT staff.

On a smaller scale, Linksys--maker of the popular line of consumer-level wireless access point devices uses network address translation to conceal computing activity on the user's side of its router product. Their routers also include built-in firewalls that examine incoming data packets for suspicious characteristics. Microsoft's XP operating system itself includes a firewall, evidence of the merger of security into basic desktop computer operations.

These countermeasures do not assure that internet-carried threats all can be stopped automatically. Computer users are warned to be vigilant and to follow good network usage practices. After an incident of internet fraud, the University of Colorado at Boulder advised students about the dangers of identity theft, calling it one of the fastest growing types of crime. Central Oregon Community College, gives tips for protecting home computers and introduces its website readers to the terms "phishing" and "spoofing," formerly just known inside computer centers.

Phishing (which is sometimes said to stand for "password harvesting fishing," but is more likely a cyber-jargon spelling, as in "warez" and "phreaking") is a set of techniques for deceiving network users into revealing confidential information, such as passwords, PINs, or bank account numbers.

Common ploys include e-mail that appears to come from a reputable company, claims that something is amiss with a user's account, asks them to follow a link, and asks for confidential information--which the misrepresented company would not ask a customer to divulge. Banks will determine an account number after authenticating a customer. ISPs and other legitimate computer account sources never ask a user to reveal a password, and will generate a new one if the user forgets it.

The path from phished information to fraud is, naturally, very short. Seton Hall University advises its network users that a community member was recently victimized by an e-mail that included what appeared to be a link to a bank. The link led to an address that appeared legitimate, complete with the bank's logo, but asked account information under threat that the account would be closed otherwise.

Spam accounts for between 60
and 80 percent of world e-mail
traffic, overwhelming a mail
readers' ability to focus on
trustworthy correspondence.

Spoofing is the assumption of a false identity, usually one trusted by the targeted user in order to seek unauthorized information or to give false instructions. One recent spoof incident involved e-mail that appeared to come from a system administrator and requested users to change their password--which was then transmitted to the spoofer.

One of the major weaknesses in internet security is that--for technical and usage reasons--it is effectively impossible to tag every message with an authentic identification of origin. Most network users have had the experience of receiving e-mail with a colleague's address as the sender, but which was in reality a forgery sent to the address directory in the e-mail program of a compromised computer.

Hoaxes, too, play a role in breaking down network security--even where they claim to alert users to viruses and other threats. These messages typically make a semi-plausible assertion about a "new" risk. They often claim that some authoritative source has announced the problem (betting that the reader will not follow up to verify that claim), and generally urge the recipient to send the message to their lists of contacts.

The hoax is essentially a variant on the chain letter, one of the original abuses of e-mail. The harm in hoaxes and chain letters is nominally that they take up storage space and waste users' time, but the more serious damage is that they erode the vigilance and good practices of those who receive them. Too frequent false scares undermine good practices: the best way to avoid viruses is to keep up an anti-virus subscription, and not to panic every time well-meaning co-workers send messages warning about a particular threat.

The cascade of intrusions in trusted streams of communication, erosions of information privacy, theft of identity, and traps for the unwary sets the stage for fraud. Offers of opportunities too good to be real take a few more victims every day--including some otherwise well-educated people. Most of us are familiar with the so-called "Nigerian bank scam." Strangers offering to share a fortune, but needing access to a helping bank account seem too ridiculous to credit, but members of the higher education community are not immune to that swindle.

Playing on the emotions of unsuspecting web surfers is certainly not off limits to scammers. A number of fraudulent websites claiming to collect money for tsunami victims' relief have been revealed in recent months. A single lapse of good judgment or misplaced trust is all that is needed for a successful crime.

College and university communities depend on an unusual level of trust. But the illusion of safety that comes with electronic communications, which pass through the physical fences and doors that have generally closed the ivory tower to ordinary threats, is a growing danger. Technologies and products are important defenses, but IHEs must recognize that they need to raise awareness in their communities so that the choices--and casual negligences--of their members do not lead to crime.


Advertisement