Beware Cyber Stalkers
Internet crime is stealing millions from American businesses.
The email looked official. The subject line stated it was a “Notice of Unreported Income,” and it appeared to come from the Internal Revenue Service. An American Realty of Northwest Florida employee in the firm’s Shalimar office clicked on the link — which ended up as a $195,000 mistake.
The link took the American Realty computer to a website which quietly installed Trojan horse malware (short for malicious software) called Zeus. The destructive program stole American Realty’s online banking credentials and quietly transferred phony payroll payments to individuals unconnected with the real estate firm that has offices in Walton, Okaloosa and Santa Rosa counties.
“We never got all of it back,” lamented Denny Naugle, the operations manager of the firm.
The five-office, 28-year-old firm has now bought a secure computer with special security software that is strictly used to connect it with the banks.
Naugle said he learned a painful, costly lesson: Small and medium businesses should think about increasing security before they are victims of Internet crime.
“Unlike what most people think, small and medium businesses are the prime target for cybercrime. The Fortune 500 are very well protected, so the cyber criminals move to organizations that are less protected, which is small and medium businesses,” said Stu Sjouwerman, a computer security expert and founder of KnowBe4, a Clearwater firm that trains small and medium business employees to avoid Internet threats.
Ignoring the risk is the biggest threat many businesses face, according to Steven R. Chabinsky, deputy assistant director of the FBI’s cyber division.
“A lot of business owners and individuals I speak with often feel secure against cybercrime because they don’t view themselves as likely targets. They ask me, ‘Why would anybody want to break into my computer?’ The answer lies in the fact that you can be a target of opportunity. Unlike traditional organized criminal groups, cybercrime groups don’t necessarily form with a particular target in mind,” Chabinsky warned during a 2010 speech to government cyber defense and security experts.
Internet crime is no longer something that is committed by teenage hackers in their bathrobes. The vast bulk of it originates in Eastern Europe, where criminal gangs are responsible for hundreds of millions of dollars in theft in the United States alone.
The operations are surprisingly sophisticated and specialized. Government and private experts describe intricate labs where technicians calculate ways to subvert each new anti-malware product. Other members of the gang are specialists in phishing with phony email or spam or setting up bogus websites to gain personal information. There are financial scammers who launder the money with elaborate money transfer schemes. At the top running it all are veteran criminals who learned it was easier to steal with a computer than with a gun.
There are ways for a business to defend itself. Stu Sjourwerman, a computer security expert, suggests a series of training classes for employees to teach them the importance of Internet security, what to do and what not to do. Tests of corporate emails have found that 20-30 percent of employees mistakenly click on fraudulent emails, such as phony letters from a delivery service stating packages have been delayed. A joint Date Breach Investigations Report in 2010 by the U. S. Secret Service and Verizon’s Business RISK Team came up with more tips on ways businesses can avoid Internet crime:Restrict and monitor the users of any computer system. Don’t give employees more access than they need. Watch for “minor” computer policy violations. The case data found that employees who download unapproved content or use the computer in an inappropriate way are careless and more likely to cause a breach. Implement measures to thwart stolen credentials. Consider it a “must” to have software that keeps credential-capturing malware from infecting a business computer. Stepped up authentication before accessing any key data and restricting access from anyplace but a special internal computer are other ways to thwart Internet crime. A firm can consider blocking access from regions of the world, if they have no business purpose. Monitor and filter traffic leaving the business: Most businesses at least make an effort to filter incoming traffic from the Internet. “By monitoring, understanding and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity,” the report states. Share incident information: The success of Internet security depends upon the information that businesses and individuals are willing to share. Report any suspicious or criminal activity to the authorities and your IT professional. — Buddy Nevins
Bank robberies might get publicity on the evening news, but digital crime is much bigger in terms of loss. In 2009, there were 8,818 bank robberies netting criminals an average of $4,029 – a total of about $35.5 million, according to the FBI’s Uniform Crime Reporting (UCR) program. The Zeus Trojan horse alone resulted in at least $70 million stolen. And that is only the total from incidents connected with those arrested. When one adds all types of Internet fraud, including everything from illegal transfers of money to stealing credit card information, the dollar damage to legitimate business is astronomical.
In Northwest Florida alone, almost 500,000 individuals’ records have been breached, although all of the people did not experience losses. The vast majority of them came from state government, like when the Florida Agency for Workforce Innovation mistakenly posted more than a quarter of a million Social Security numbers online in 2008. Others were small or medium businesses like Julie’s Place, a Tallahassee restaurant, which had its credit card system re-rerouted in 2010 to Internet criminals who stole at least $200,000 from at least 100 customers’ accounts.
Sjourwerman said the attacks in Northwest Florida are not surprising. Any individual or business connected to the Internet anyplace in the world can be victimized.
“Where a business is located makes no difference to organized crime (groups) in Eastern Europe that have made it their life’s work to steal from you via the Internet,” Sjourwerman said.
Tom Putnam, president of the Half Hitch Tackle chain in Bay County, found out that Northwest Florida is only a click away from an Eastern European crime gang. An invasion of the company’s credit card system resulted in about $100,000 of fraudulent charges. There were also the hours of wasted time for employees and aggravation for customers in four out of its five bait and tackle shops. Putnam’s wife was hit with $2,500 in jewelry charges from Chicago, where the thief also took time to stop at a Panera Bread café for coffee. Other credit cards were used as far away as India and Japan.
“I thought we had enough security,” Putnam said. Half Hitch was forced to spend thousands to beef up security on his credit card system.
Robert Thousand, Jr., a semi-retired dentist living near St. Augustine, has learned never to leave his computer in a hotel room. He believes that is where thieves stole his data in 2009 when a long nightmare began for his family. Shortly after returning from a dentists’ conference in The Bahamas, Thousand, his wife and son, also a dentist in North Florida, began receiving an incessant series of harassing phone calls. The 30-second messages from a sex line prevented them from using their phones. It was later revealed the calls were designed to prevent a broker from contacting them while the elder Thousand’s retirement account was looted of $400,000. He “eventually” got the money returned, but he still is angry about the lack of help he got from the authorities.
The increasing use of mobile devices like smart phones and tablets are complicating the security situation. Sjourwerman described devices available that can capture data from wireless computers, smart phones or tablets by just walking through an airport, hotel lobby or coffee shop. “Mobile devices should be known as hackers’ heaven,” he cautioned.
Social networks also make the job of Internet scammers easier. “Don’t be surprised if a criminal compromises you or one of your colleague’s personal social networking accounts to retrieve the email addresses of some of your friends, and then uses that information to spoof an email to you or your colleague at work,” the FBI’s Chabinsky said.
Unfortunately, nothing will insure safety on the Web, according to Vinton “Vint” Cerf, who is known as one of the “fathers of the Internet.” In a June 2011 interview in Forbes, Cerf said he remained concerned about the Internet.
“The Internet lacks security,” he said. “See this six-digit encryption key hanging around my neck? Some of us at Google have been wearing them since we discovered the Chinese were hacking into Google. The Internet is brittle and fragile and too easy to take down. It’s a conduit for criminal activity. We need international treaties to prosecute the bad guys, but we don’t have them.”