12.1. What Is Being Done to Tackle Internet Fraud?Everyone realizes that Internet fraud is a serious problem that is not going to go away by itself. Politicians, law enforcement, and industry groups are approaching the problem from different perspectives, with varying degrees of success. 12.1.1. LegislationThe speed with which the Internet has developed has led to many instances of state and federal laws being out of step with technology. Slowly but surely lawmakers are learning about the new threats and are crafting and passing laws that target certain of these. But these have yet to really prove their worth, either by lowering the incidence of the crime or by securing a significant number of convictions. In the case of Internet fraud, prosecutors often avoid the new laws, preferring to use tried and tested legislation against fraud in general. The courts are familiar with these, and prosecutors can avoid potential pitfalls as they present their cases. This is a Catch-22 situation. Unless the new laws are properly exercised in the courts, they will never become the deterrent that they were intended to be. Some of the laws that are currently used to fight Internet fraud in the United States include:
Anti-spam legislation has received the most attention from lawmakers. In the United States, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (18 U.S.C. 1037), known as CAN-SPAM, went into effect at the end of 2003. Among various provisions, it requires that those sending out the emails not disguise their real identity through address spoofing. Unsolicited messages must include a mechanism for recipients to opt out from future emails. While the law is well intentioned, many have condemned it as being too easy on spammers, preferring to manage the spam industry rather than outlaw it. Nonetheless, a number of high-profile cases have already been brought against spammers within the United States. 12.1.2. EnforcementLegislation is all well and good, but without enforcement to back it up, it will never achieve a great deal. While law-enforcement agencies are eager to apprehend Internet criminals, prosecution is difficult and successful indictments are few and far between. The Federal Trade Commission and the Department of Justice have handled all the cases in the United States that have involved phishing. That short case list to date is as follows:
The details contained in the court papers from this last case (http://www.ftc.gov/os/caselist/0323102/0323102zkhill.htm) provide a rare insight into how successful phishing can be. Operating in 2002 and 2003, the defendant was able to collect 473 credit card numbers, 152 bank account numbers, and 566 sets of usernames and passwords for Internet accounts. He had used those data to steal more than $47,000 from these accounts. The first conviction under the CAN-SPAM act was brought against Nicholas Tombros in California. He distributed spam advertising pornographic web sites. This was an interesting case because Tombros attempted to cover his tracks by using unsecured wireless access points while war-driving in the Los Angeles area. Even using this clever form of disguise, he was identified, arrested, and pled guilty to a single felony under the new act. But the most impressive court cases have involved state laws rather than CAN-SPAM. A number of states have passed their own laws that more effectively prohibit spam, as well as impose significant fines on those that are convicted. In New York, state laws resulted in Howard Carmack, from Buffalo, being required to pay $16.4 million in damages to the ISP Earthlink. It is estimated that he sent more than 825 million messages since 2002. In 2004, he was convicted on related charges of fraud and identity theft and sentenced to three-and-a-half years in prison. In 2005, a judge in Virginia sentenced Jeremy Jaynes to nine years in prison under that state's anti-spam law. This was remarkable, not only for the length of the sentence, but because it was imposed specifically for sending spam, as opposed to any associated fraud. Large fines and prison time are enough to make some people think twice before embarking on a spam campaign. But even after these high-profile cases, the flood of spam and Internet fraud continues unabated. Some of the people involved are based outside the United States and perhaps believe that it is too much trouble for U.S. law enforcement to go after them. But a large number of criminals are based on American soil. In order to continue their trade, they must feel very confident that they can evade identification. 12.1.3. Industry and Community OrganizationsDealing with Internet-based crime involves a diverse set of interests, from the banks that carry the cost of successful fraud, to law enforcement agencies that seek out those responsible, to those involved in computer security that look for new ways to deal with the problem. Bringing all these interests together to share information is important, and several groups have been formed with that goal in mind. Inevitably there is some overlap, and even competition, between these different groups. That can be inefficient, but having multiple approaches can help a field evolve more rapidly than if a single idea was adopted by everyone. Here are three of the most significant groups that are currently at work. 12.1.3.1. The Spamhaus ProjectSpamhaus (http://www.spamhaus.org/) focuses on spam and the people that distribute it. The group has been around since 1998 and is based in the United Kingdom with members around the world. It collates reports on spam and its origins and produces two important block lists, otherwise known as blacklists, of IP addresses that have been associated with spam. The Spamhaus Block List (SBL) is a list of addresses that are known to have sent spam. The Exploits Block List (XBL) is a list of addresses from which other types of malicious exploit, such as viruses and trojans, have been sent. Operators of mail servers can use the lists to automatically reject email from these addresses. They serve as a valuable resource in the fight against spam, but inevitably they lag behind spammers who are continually recruiting new addresses. In addition, Spamhaus maintains the Register of Known Spam Operations (ROKSO), a database of individuals and groups that are involved in spamming. Their criterion for inclusion is that each group must have been terminated by three ISPs for sending out spam. This lets them focus on the really serious spam operations that reestablish themselves somewhere else every time they are found out. Each database record contains a list of the domains, addresses, and aliases that the individual or group has used. The format of these is somewhat unstructured, but it represents a great resource if you want to see what else a suspected spammer might have been involved in. Spamhaus maintains its databases using the spam that they and their partners encounter. This appears to be more than enough, as they do not solicit public submissions of either spam or the sort of forensic information that you and I might be able to provide. I can understand whymanaging that sort of input could become a major burden, but it does seem unfortunate that the community at large is unable to contribute to their resource. 12.1.3.2. Anti-Phishing Working GroupThe Anti-Phishing Working Group (APWG) (http://www.antiphishing.org) is the largest group that focuses on phishing. It brings together security experts from banks, ISPs, computer companies, and law enforcement to share information on, and ways of dealing with, phishing web sites. It plays an important role in monitoring new phishing sites and produces a monthly report that summarizes the field. This contains statistics on the growth in the number of these fake sites along with the breakdown of these according to industry sector and brand (for example, the name of the bank being impersonated). Currently the APWG has members from more than 900 companies, including most of the large financial institutions. Membership is not available to the general public. APWG maintains a database of phishing attempts that you can browse through, although this is far from comprehensive. Individual entries contain screenshots of the initiating email and the fake web site, along with some extracted data such as the URL of the fake site, the email subject line, and so on. These can be useful if you are looking for other examples of an attempt that you encounter. They also provide an email address that you can use to report phishing emails (reportphishing@antiphishing.org). They ask that you attach the original email to a message sent to their address, as opposed to forwarding it, which can result in header information being deleted. 12.1.3.3. Digital PhishNetJanuary 2005 saw the creation of another industry and government group with the goal of combating phishing. Digital PhishNet (http://www.digitalphishnet.org) is a U.S.-based consortium with an impressive lineup. The government agencies that are involved are the FBI, the Secret Service, the Federal Trade Commission, and the U.S. Postal Inspection Service. Technology companies (such as Microsoft, Verisign, and Network Solutions) and leading ISPs (such as AOL and Earthlink) are members, as are 9 of the top 10 U.S. banks. The group is based in Pittsburgh as part of the National Cyber-Forensics and Training Alliance. Whereas the APWG plays an important role in documenting the problem and educating the public, Digital PhishNet has taken on the aggressive mandate "to identify, arrest and hold accountable, those that are involved in all levels of phishing attacks." Its success or otherwise will be measured in the number of successful convictions obtained over the next few years. |