How to Fight Organized Cybercrime
Kris Covino, CTO and co-founder of Date.com once received an e-mail that appeared to come from the United Kingdom. The writer explained that he had encountered a lot of fraudulent activity on Date.com, and asked for advice on how to detect fraudulent behavior.
Covino wanted to be helpful. “I responded with information on some anti-fraud databases, places to check if a photo of a supposed Date.com user had been used in online scams, and an online discussion group about scams,” he says. “It was pretty comprehensive and I sent it off…but something about it bothered me.” So Covino checked the sender’s e-mail address against Date.com’s database of known frauds, and it matched up with a known scammer in Nigeria. “The scammers had proactively contacted me to find out how they could disguise themselves better!” Covino says.
Not only that, at the same time he was answering the e-mail, the company’s customer service staff was fielding phone calls in which the caller claimed to be a Date.com user who’d been banned from the site, and asking for detailed information on how to avoid being banned in the future.
There’s no question that in the past few years cybercrime has taken on new dimensions. “Ten years ago, it was teenagers with pony tails sitting in their garages,” says Fred Rica, principal at PricewaterhouseCoopers. “We now see a high level of organization, a high level of sophistication, and a high level of funding. Whether it’s coming from a nation-state, or organized crime, or somewhere else, they seem to have a lot of resources at their disposal.”
And they operate across international borders. “We found many crime rings employed multiple teams that focused on different parts of a fraud operation,” Covino says. “For example, one team located in the U.S. would register free user accounts, but when it came time to input stolen credit card numbers to create fake pay accounts -- which is illegal here -- that was done from offshore. Then yet another team located predominantly in a few specific regions would use those accounts to perpetrate romance scams within our community.” Romance scams might include getting to know a Date.com member by e-mail or chat over a period of months, and then asking him or her to cash a check, for example.
Cyber-gangs prey on small companies
“If you ask a small business about safety, the response is often: ‘Who would hack me? I have nothing of value,’” reports Dirk Morris, CTO and founder of Untangle, an open-source security gateway for small businesses.
They’re wrong. Organized cybercriminals are after two things that every company, large and small, has. The first is computers, which, if vulnerable, can be used as part of a botnet, sending out spam or performing other tasks without their users’ knowledge. The second is personally identifiable information, such as credit card or Social Security numbers, but also log-ins and passwords that could give the cybercriminals access to users’ accounts.
In fact, organized cybercrime often targets small companies rather than larger corporations. “It’s just too easy to exploit small or medium-sized businesses,” says Ron Plesco, president and CEO of the National Cyber Forensics & Training Alliance. “Large corporations have more funds to remediate and mitigate. Small businesses don’t, and the bad guys know it. They’re concentrating on small businesses, and have been for the past year.”
How you can avoid being a victim of cybercrime
Here are some steps that can help.
- Get the best security you can afford. You can’t match a large company’s security arsenal, and that’s okay. All you need is enough to make your company an unappealing target. “If the door to your house is locked, you have an alarm sign in the window, and a sign that says ‘Beware of the dog,’ a thief will probably go on to the next house,” Rica explains. It works the same with cyber-gangs: if you make it difficult to gain access, they’ll go bother someone else.
- Know your network patterns. It’s smart to review logs and usage on a periodic basis. For instance, by examining logs, Covino was able to determine that a user who appeared to be in the United Kingdom was actually in Nigeria when the scammer’s proxy server stopped working for a few moments, revealing the user’s actual location.
- Know your customers’ patterns. “You have to understand your customer base and have some information about how they use the site,” Covino says. “It’s impossible to fight this without some of that information.”
Just as important, be aware of what user behaviors should be taken as red flags. For Modern Tribe, which sells Jewish themed t-shirts and other Judaica, that turned out to be large orders for t-shirts with overnight delivery and a shipping address that didn’t match the credit card billing address. The first time the company received such an order, it billed the credit card number and sent out the t-shirts for overnight delivery -- and received an irate phone call a few days later from the credit card’s owner who had not authorized the charge. By then, it was too late to stop or recover the shipment, so Modern Tribe wound up eating the cost of the t-shirts and expedited shipping.
However, there was a second order in process that also involved a large number of t-shirts, expedited delivery, and a shipping address that didn’t match the card’s billing address. “We immediately suspected that the second order was also fraudulent, so we looked into it, and when it turned out to be false, we were able to stop it,” says Jennie Rivlin, Modern Tribe’s founder.
Since then, she says, her firm has received many such orders, but since they know the pattern, they can take extra steps to make sure an order is real before filling it. “We have had some larger orders where the billing and shipping address didn’t match, so we contacted the customers and it turned out to be fine,” Rivlin says. “But it was well worth taking that extra precaution.”