Section 12.1. What Is Being Done to Tackle Internet Fraud?

Previous page
Table of content
Next page

12.1. What Is Being Done to Tackle Internet Fraud?

Everyone realizes that Internet fraud is a serious problem that is not going to go away by itself. Politicians, law enforcement, and industry groups are approaching the problem from different perspectives, with varying degrees of success.

12.1.1. Legislation

The speed with which the Internet has developed has led to many instances of state and federal laws being out of step with technology. Slowly but surely lawmakers are learning about the new threats and are crafting and passing laws that target certain of these. But these have yet to really prove their worth, either by lowering the incidence of the crime or by securing a significant number of convictions.

In the case of Internet fraud, prosecutors often avoid the new laws, preferring to use tried and tested legislation against fraud in general. The courts are familiar with these, and prosecutors can avoid potential pitfalls as they present their cases. This is a Catch-22 situation. Unless the new laws are properly exercised in the courts, they will never become the deterrent that they were intended to be. Some of the laws that are currently used to fight Internet fraud in the United States include:

  • Wire Fraud (18 U.S.C. 1343)

  • Mail Fraud (18 U.S.C. 1341)

  • Financial Institution Fraud (18 U.S.C. 1344)

  • Access Device Fraud (18 U.S.C. 1029)

  • Computer Fraud and Abuse (18 U.S.C. 1030)

  • Identity Theft (18 U.S.C. 1028(a)(7))

  • Aggravated Identity Theft (18 U.S.C. 1028A)

Anti-spam legislation has received the most attention from lawmakers. In the United States, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (18 U.S.C. 1037), known as CAN-SPAM, went into effect at the end of 2003. Among various provisions, it requires that those sending out the emails not disguise their real identity through address spoofing. Unsolicited messages must include a mechanism for recipients to opt out from future emails. While the law is well intentioned, many have condemned it as being too easy on spammers, preferring to manage the spam industry rather than outlaw it. Nonetheless, a number of high-profile cases have already been brought against spammers within the United States.

12.1.2. Enforcement

Legislation is all well and good, but without enforcement to back it up, it will never achieve a great deal. While law-enforcement agencies are eager to apprehend Internet criminals, prosecution is difficult and successful indictments are few and far between.

The Federal Trade Commission and the Department of Justice have handled all the cases in the United States that have involved phishing. That short case list to date is as follows:


FTC v. _ _ _ (C.D. Cal. 2003)

A juvenile in California operated a fake AOL site.

Paid $3,500 to settle charges


United States v. Carr (E.D. Va. 2003)

A 55-year-old woman from Ohio set up fake AOL sites.

Entered a guilty plea to 18 U.S.C. 1029

Sentenced to 46 months in jail, January 2004

Her male co-conspirator pled guilty and was sentenced to 37 months in July 2003.


United States v. Kalin (D.N.J., Nov. 2003)

A Nevada resident set up fake version of a site that auto dealers use to access credit reports. He was able to capture usernames and passwords of dealers and then access the real system for identity theft.

Charged under 18 U.S.C. 1030


United States v. Forcellina (D. Conn. 2004)

A married couple from Connecticut set up fake ISP sites.

Both pled guilty to 18 U.S.C. 1029 charges

Husband sentenced to 18 months and $48,000 restitution

Wife sentenced to 6 months home confinement and $48,000 restitution


United States v. Chasin (N.D. Cal. 2004)

A 21-year-old from Florida created fake eBay pages.

Plead guilty to Wire Fraud

Sentenced to 30 months in jail plus $33,000 restitution


United States v. Hill (S.D. Tex. 2004)

A 19-year-old from Texas operated fake PayPal and AOL sites.

Subject to a criminal case by the Dept. of Justice and a civil case by the FTC

Entered into a plea agreement in the criminal case and sentenced to 46 months in jail in May 2004.

The details contained in the court papers from this last case (http://www.ftc.gov/os/caselist/0323102/0323102zkhill.htm) provide a rare insight into how successful phishing can be. Operating in 2002 and 2003, the defendant was able to collect 473 credit card numbers, 152 bank account numbers, and 566 sets of usernames and passwords for Internet accounts. He had used those data to steal more than $47,000 from these accounts.

The first conviction under the CAN-SPAM act was brought against Nicholas Tombros in California. He distributed spam advertising pornographic web sites. This was an interesting case because Tombros attempted to cover his tracks by using unsecured wireless access points while war-driving in the Los Angeles area. Even using this clever form of disguise, he was identified, arrested, and pled guilty to a single felony under the new act.

But the most impressive court cases have involved state laws rather than CAN-SPAM. A number of states have passed their own laws that more effectively prohibit spam, as well as impose significant fines on those that are convicted.

In New York, state laws resulted in Howard Carmack, from Buffalo, being required to pay $16.4 million in damages to the ISP Earthlink. It is estimated that he sent more than 825 million messages since 2002. In 2004, he was convicted on related charges of fraud and identity theft and sentenced to three-and-a-half years in prison.

In 2005, a judge in Virginia sentenced Jeremy Jaynes to nine years in prison under that state's anti-spam law. This was remarkable, not only for the length of the sentence, but because it was imposed specifically for sending spam, as opposed to any associated fraud.

Large fines and prison time are enough to make some people think twice before embarking on a spam campaign. But even after these high-profile cases, the flood of spam and Internet fraud continues unabated. Some of the people involved are based outside the United States and perhaps believe that it is too much trouble for U.S. law enforcement to go after them. But a large number of criminals are based on American soil. In order to continue their trade, they must feel very confident that they can evade identification.

12.1.3. Industry and Community Organizations

Dealing with Internet-based crime involves a diverse set of interests, from the banks that carry the cost of successful fraud, to law enforcement agencies that seek out those responsible, to those involved in computer security that look for new ways to deal with the problem. Bringing all these interests together to share information is important, and several groups have been formed with that goal in mind. Inevitably there is some overlap, and even competition, between these different groups. That can be inefficient, but having multiple approaches can help a field evolve more rapidly than if a single idea was adopted by everyone. Here are three of the most significant groups that are currently at work.

12.1.3.1. The Spamhaus Project

Spamhaus (http://www.spamhaus.org/) focuses on spam and the people that distribute it. The group has been around since 1998 and is based in the United Kingdom with members around the world. It collates reports on spam and its origins and produces two important block lists, otherwise known as blacklists, of IP addresses that have been associated with spam. The Spamhaus Block List (SBL) is a list of addresses that are known to have sent spam. The Exploits Block List (XBL) is a list of addresses from which other types of malicious exploit, such as viruses and trojans, have been sent. Operators of mail servers can use the lists to automatically reject email from these addresses. They serve as a valuable resource in the fight against spam, but inevitably they lag behind spammers who are continually recruiting new addresses.

In addition, Spamhaus maintains the Register of Known Spam Operations (ROKSO), a database of individuals and groups that are involved in spamming. Their criterion for inclusion is that each group must have been terminated by three ISPs for sending out spam. This lets them focus on the really serious spam operations that reestablish themselves somewhere else every time they are found out. Each database record contains a list of the domains, addresses, and aliases that the individual or group has used. The format of these is somewhat unstructured, but it represents a great resource if you want to see what else a suspected spammer might have been involved in.

Spamhaus maintains its databases using the spam that they and their partners encounter. This appears to be more than enough, as they do not solicit public submissions of either spam or the sort of forensic information that you and I might be able to provide. I can understand whymanaging that sort of input could become a major burden, but it does seem unfortunate that the community at large is unable to contribute to their resource.

12.1.3.2. Anti-Phishing Working Group

The Anti-Phishing Working Group (APWG) (http://www.antiphishing.org) is the largest group that focuses on phishing. It brings together security experts from banks, ISPs, computer companies, and law enforcement to share information on, and ways of dealing with, phishing web sites. It plays an important role in monitoring new phishing sites and produces a monthly report that summarizes the field. This contains statistics on the growth in the number of these fake sites along with the breakdown of these according to industry sector and brand (for example, the name of the bank being impersonated). Currently the APWG has members from more than 900 companies, including most of the large financial institutions. Membership is not available to the general public.

APWG maintains a database of phishing attempts that you can browse through, although this is far from comprehensive. Individual entries contain screenshots of the initiating email and the fake web site, along with some extracted data such as the URL of the fake site, the email subject line, and so on. These can be useful if you are looking for other examples of an attempt that you encounter.

They also provide an email address that you can use to report phishing emails (reportphishing@antiphishing.org). They ask that you attach the original email to a message sent to their address, as opposed to forwarding it, which can result in header information being deleted.

12.1.3.3. Digital PhishNet

January 2005 saw the creation of another industry and government group with the goal of combating phishing. Digital PhishNet (http://www.digitalphishnet.org) is a U.S.-based consortium with an impressive lineup.

The government agencies that are involved are the FBI, the Secret Service, the Federal Trade Commission, and the U.S. Postal Inspection Service. Technology companies (such as Microsoft, Verisign, and Network Solutions) and leading ISPs (such as AOL and Earthlink) are members, as are 9 of the top 10 U.S. banks. The group is based in Pittsburgh as part of the National Cyber-Forensics and Training Alliance.

Whereas the APWG plays an important role in documenting the problem and educating the public, Digital PhishNet has taken on the aggressive mandate "to identify, arrest and hold accountable, those that are involved in all levels of phishing attacks." Its success or otherwise will be measured in the number of successful convictions obtained over the next few years.


Previous page
Table of content
Next page
Internet Forensics
Internet Forensics
ISBN: 059610006X
EAN: 2147483647
Year: 2003
Pages: 121
Authors: Robert Jones F.R
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
The CISSP and CAP Prep Guide: Platinum Edition
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Quantitative Methods in Project Management
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy