ABC News
Fraud Reveals Workings of Internet Theft
Unraveled Web Fraud Reveals Inner Workings of an Internet Theft Scam Traced to Quebec
By TED BRIDIS
The Associated Press
Sep. 12, 2005 - The illicit haul arrived each day by e-mail, the personal details of computer users tricked by an Internet thief: a victim's name, credit card number, date of birth, Social Security number, mother's maiden name.
One more Internet "phishing" scam was operating. But this time, private sleuths soon were hot on the electronic trail of a thief whose online alias indicated an affinity for the dark side. The case moved ahead in part because of an underground tipster and the thief's penchant for repeatedly using the same two passwords "syerwerz" and "r00tm3."
Unraveling a scheme that also had hacked Kenyon College in Ohio leapt across continents and ultimately pointed toward a neighborhood in Granby, Quebec. It offers an extraordinary glimpse behind an Internet fraud that targets the most trusting computer users.
"This is really lousy," said Johan Fabris of Holmes, Pa. The 82-year-old grandmother had her online bank account hijacked. Her teenage grandson set up the account for her to sell hand-sewn doll clothes in Internet auctions.
"This was my first foray into the modern computer world. These damn people, life is complicated enough," Fabris said.
In such phishing scams, victims are fooled by realistic-looking e-mails that appear to come from banks or other financial institutions. The urgent-looking messages direct recipients to verify their accounts by typing personal details credit card information, for example into a Web site disguised to appear legitimate.
Despite warnings from the government, banks and security experts, consumers fall victim with disturbing frequency.
One industry organization, the Anti-Phishing Working Group, estimated that thieves collectively launch more than 14,000 such schemes monthly and that about 5 percent of computer users respond to the fraudulent messages.
"They make it look completely real," said Jennifer Phillips, 25, of Martinsville, Ill. She was tricked into disclosing her card number, mother's maiden name, bank routing number and more. "You wouldn't think this could happen to anybody living in the middle of cornfields," she said.
Internet sleuths from CardCops Inc. of Malibu, Calif., uncovered the latest plot.
A tipster pointed them to the thief's e-mail account and gave up the thief's favorite passwords, which the thief previously had shared with the informant, chief executive Dan Clements said.
CardCops monitors Internet chat rooms and other hacker communications for stolen credit card numbers, then notifies merchants and consumers to block bad purchases.
Clements said he logged into the thief's account despite concerns this could be illegal and found what he described as a "den of treasure" for identity crooks.
Clements said he discovered copies of victims' financial information plus tantalizing clues to the thief's real identity. They included an invoice for two Gamecube video games purchased with a stolen credit card and delivered to a family's home in Quebec, plus evidence the thief had tested his schemes using a high-speed Internet connection traced to a home computer in Canada.
"I'm so furious," said Cindy Brenneke of Sunnyvale, Calif., whose Bank of America credit card was used to buy the games.
She had been similarly tricked into disclosing her card number. "It was total stupidity," she said. Brenneke said roughly $4,000 in fraudulent charges were run up for music, movies and video games on Web sites within days of her mistake.
The person listed on the invoice as receiving the video games in Quebec denied any involvement in Internet fraud, telling The Associated Press in a brief interview he did nothing wrong.
But shortly after the interview, the e-mail inbox used for the purchases was mysteriously emptied and the password changed, said Clements, who said he kept copies of everything he found.
The fraud illustrates the conflict between quickly warning potential victims and preserving evidence for police to investigate. Clements said he immediately notified each consumer whose information he found in the inbox and later reported the findings to police before the AP called the home in Quebec.
The case also shows how hard it can be to get the attention of police.
Phillips said she called police in Illinois to complain, but a detective never called back. Brenneke said police in California offered to open a file on her case as a courtesy, but told her Canadian authorities would have to investigate. "It kind of stinks," Brenneke said.
Such experiences are common.
"Unquestionably, there are online crooks who are getting away with impunity," said Beryl Howell, a former top lawyer with the Senate Judiciary Committee. "Victims are fending for themselves."
The Royal Canadian Mounted Police in Quebec said it does not investigate online financial crimes. A city detective in Granby referred the case to provincial police but cautioned that any investigation would take months.
"There's sort of a hole in enforcement," acknowledged Marc Gosselin, a cybercrimes investigator for the Mounties.
Clements said he was unconcerned about the legal risks of reading the thief's e-mails, even though a former Justice Department lawyer said it could land Clements in trouble.
"Law enforcement can't allow self-help vigilantes to go around and do this," said Marc Zwillinger, a former cybercrimes prosecutor.
In the Canadian-based scheme, messages were routed through a computer in Macedonia. Official-looking e-mails were sent randomly on Aug. 23 directing computer users to visit a Web page and confirm details about their bank accounts. The counterfeit e-mails reassured would-be victims "this security measure will protect our customers from account thefts and any other fraudulent activities."
But the Web page did not belong to any bank.
Officials at Kenyon College in Ohio said someone hacked into a school computer Aug. 22 and set up the fake banking page. It transmitted victims' personal information to the Canadian e-mail inbox plus two other addresses believed to belong to thieves.
"It looked very genuine," said Tam Nguyen of Huntersville, N.C., who was tricked into revealing his credit card number, Social Security number, mother's maiden name and more.
"My wife saw the e-mail and told me to take care of it right away. Stupid me, I just went ahead and gave up everything," he said.
The school's director of information systems, Ron Griggs, said the break-in was traced to the same high-speed Internet account in Canada used to run early tests of the fraud scheme. He said 32 people visited the fake banking Web site before someone complained. The college shut off access Aug. 24.
In Illinois, Jennifer Phillips canceled her compromised credit account and is more suspicious these days. But she is under no illusion that what happened to her was an isolated case.
In the days after discovering she had been tricked, Phillips said she received two more urgent-looking e-mails pressing her to verify her bank account online.
This time, she deleted them.
Associated Press writer Phil Couvrette in Montreal contributed to this story.
On the Net:
CardCops: http://www.cardcops.com
Anti-phishing Working Group: http://www.antiphishing.org
FTC advice: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm