The U.S. Department of Justice is indicting a Miami man for working with two co-conspirators in Russia to steal 130 million credit and debit card numbers between 2006 and 2008. Breaking into the network of a payment systems company, the criminal enterprise was able to get the numbers from customer transactions at convenience stores, grocery stores and other retailers.
Cybercrime has evolved from a nuisance to an extreme danger as global crime rings profit from online identity theft. Young hackers showing off their skills have been supplanted by an organized and underground criminal community. These bad guys understand business and technology, and they are just as structured as legitimate companies, using networks, staff and money laundering processes to earn money from stolen identities.
Identity thieves operate in a digital world that is largely beyond the reach of government and law enforcement agencies. While there are laws in many countries that protect against cybercrime, it can be difficult to determine prosecutorial jurisdiction, as many organized crime rings have operations around the world. For example, a phishing site might be registered in Russia to a person in China who is targeting Americans. Policing duties get murky.
Developing countries, such as Russia and China, are responsible for a large portion of the world##s malware, spam and viruses. These countries are experiencing rapid growth in skills and technology that are outpacing laws and enforcement. Because labor is cheap and legitimate technology jobs are scarce, highly skilled whiz kids are turning to cybercrime to make real money by masterminding schemes to steal credit card and Social Security numbers.
Aside from outright theft of personal information via hacking into computer networks, cybercrime is often aiding by unwitting participants who make possible several popular scams:
Phishing: Identity thieves use phishing e-mails and text messages to trick people into revealing their personal information by pretending to be someone they##re not. For example, you might receive an e-mail that appears to come from a legitimate organization, such as your bank or the Internal Revenue Service (IRS). The sender asks you to “confirm” your personal data for a seemingly genuine reason (such as your account has been suspended or you##ve won a contest). If you follow their instructions and provide your personal information, you##ll deliver it directly into the hands of identity thieves.
Vishing: Using the phone to trick victims into releasing sensitive data–a technique known as “vishing” (or voice phishing)–is one of the latest forms of identity theft. Vishing uses Voice over Internet Protocol (VoIP) to con people into divulging their personal and financial information. For example, you might be asked to call a number, where an automated answering service requests your account numbers, passwords or Social Security numbers, which are then used to commit identity fraud.
Malware: This includes any program that infiltrates or damages your computer system without your consent, usually in order to steal your information or track your behaviors for financial gain or criminal purposes. Adware, spyware, viruses, worms and Trojan horses are all types of malware. You can get infected by malware in many ways. Often, it comes bundled with free, downloadable programs (file-sharing programs, such as Kazaa and LimeWire, are the biggest culprits). Simply installing a free screensaver may be all it takes. Others install themselves by taking advantage of any vulnerability in your Web browser. In such a case, no action is required on your part–simply visiting the wrong Web page will lead to infection if your computer is not adequately protected.
Pharming: Scammers install malicious code on your personal computer or server that misdirects you to fraudulent Web sites without your knowledge or consent. You, acting responsibly, might type in a perfectly accurate URL for a legitimate company and be unwittingly taken to a look-alike site. Having no reason to doubt that you##re dealing with your bank, for example, you might readily enter your credit card number, bank account number or password.
One of the latest cybercrime trends involves polluting search engines. Criminal organizations set up phony news Web sites, publish news stories on major events and then use search engine hacking to make their sites appear high in users## search results. They load Web pages with keywords to trick people into visiting their phony sites and then infect their computers. Because 90% of people click on the top 10 results, millions of people are redirected to fraudulent Web sites. If visitors clicked on any links on these sites, they unknowingly downloaded malicious software. Once infected, scammers access their computers and stole any personal information they could get their hands on.
Scammers also distribute malware by exploiting vulnerabilities in legitimate Web sites, such as the United Nations site. For a brief period in 2008, after criminals hacked into the U.N. site, visitors automatically downloaded a file from a malware-hosting server, which attempted to install malicious code on their machines to steal personal data.
Sophisticated schemes have allowed criminals to take over Web sites controlled by trusted, legitimate brands and redirect them to their own illegitimate sites. As far as the users know, they are visiting a trusted site. Once users entered the fake site, their Web browsers were probed for vulnerabilities. If any were detected, the scammers installed password-stealing software on their computers.
Once scammers gain access to a victim##s computer, they can use victims## identities to send phishing e-mails to perpetuate their scams. Social engineering is increasingly moving past corporate branding scams to leverage individual reputations. For example, if an identity thief breaks into your friend##s Facebook account, you might receive a phishing e-mail that appears to come from your friend. You are more likely to trust e-mails from someone you know versus a stranger, so the bad guys know they will get a higher return on investment with these types of scams.
The following tips will dramatically reduce your odds of becoming an identity theft victim:
– If you use a Windows operating system, make sure you update your operating system software with whatever automatic updates Microsoft recommends.
– If someone is offering something that seems too good to be true, it probably is. Use common sense and don##t hand over your personal information.
– Before giving away any information, contact bank or credit card companies directly to verify the validity of an e-mail or phone message.
– Never open e-mail attachments or click on images and links unless you know who sent them and what they contain. Malware can be hidden in any of these. Even messages that appear to come from your good friends can be dangerous, especially if your friends## computers have been infected with malware that is now sending e-mails in their names.
– Before entering any information online, make sure the site is secure. Look for a Web address (URL) that begins with “https://” and the “closed padlock” icon on your browser. You should also enter the address of any banking or e-commerce Web site in your browser, rather than following a link to it.
Scott Mitic is CEO of TrustedID and author of Stopping Identity Theft: 10 Easy Steps to Security. Forbes Magazine (abridged).