Last spring, the teachers, students, and workers at the University of Kentucky Federal Credit Union received an email that seemed routine enough: Because of a problem in the electronic banking system, customers needed to verify their account information. After clicking a link, they were taken to a page with the bank’s logo where they were instructed to enter their personal identification numbers.
Unbeknownst to the 20 victims, however, their financial details were not going back to the campus, they were zipping to South Korea, where they would be used to create pirate debit cards. The only hint of a scam was tucked away in the site’s Web address, which read ”http” instead of the usual ”https,” designating a secure site. The Wildcats had just been phished . And they’re not alone. Phishing, social and technical engineering aimed at hustling surfers’ personal data, is an insidious form of identity theft that’s on the rise. According to a report by IBM, phishing attacks hit an all-time high, rising by 226 percent in 2005. The Federal Trade Commission receives nearly 200 000 reports of phishing attacks every year.
The phishers feed a larger epidemic of identity theft that is reaching epic proportions. The FTC found that, every year, almost 10 million people are victims of identity theft, costing consumers US $5 billion and businesses $48 billion. But there’s one place where the rise in computer crimes is paying off: Hollywood. In the 21st century, computer crimefrom hacked passwords to identity theftis the stuff of celluloid dreams.
This year in the movie "Firewall," Harrison Ford made security engineers into heroes when he portrayed Jack Stanfield, a banking brainiac whose firewall system becomes a sticking point for a gang of ruthless baddies. Ford gets told to transfer $100 million into a crook’s accountor his family gets it. Of course, Harrison manages to save the bankand the daybut a larger question looms: can computer crimes be sexy?
Hollywood has been playing this game for decades, but the firstand still most influential computer crime movie came in 1983 with "War Games." Matthew Broderick plays a teen geek (and future icon for generations of hackers) who nearly starts World War III after launching a thermonuclear war game between the U.S. and Russia. Oops! Twelve years later, Sandra Bullock chased down her own identity thieves in the shlocky thriller, "The Net." Since then, terrible movies, from "Hackers" (teen geeks battle evil computer virus!) to, yes, "The Net 2.0" (tagline: "No. Money. No. Identity. No. Way Out.”) have combed this brave new world.
But the reality of cybercrime is more intriguing than these slapdash films could imagine. Consider the real-life Bonnie and Clyde of spyware. Michael and Ruth Haephrati seemed like any dot-com wannabes. The young married couple, living in London, operated an Internet security firm called Target Eye. But when the two were taken into custody last May, it turned out they were targeting more than anyone suspected. The Haephratis are accused of being the masterminds behind one of the biggest cases ever of commercial espionage; they allegedly pawned services to help some of Israel’s biggest companies infiltrate each other’s inner workings. Their weapon of choice: spyware.
For years, spywareinsidious software that secretly installs itself on a computer and then logs and disseminates a user’s activityand its dirty cousin, adware, which unleashes unwanted pop-ups, have been a growing nuisance online. The National Cyber Security Alliance has reported that 80 percent of home surfers have had spyware or adware on their computers. Infection is so widespread that there are now Web sites devoted to chronicling spyware horror stories.
The case of the Haephratis reveals just how sophisticated spyware has become. ”This marks the appearance of custom-coded spyware that’s targeted for a specific purpose,” says Kurt Opsahl, staff attorney for the Electronic Frontier Foundation, the San Francisco-based civil liberties group, ”unlike malicious code [such as viruses and worms] it is designed to be surreptitious.”
The government is stepping up its fight against spyware. The U.S. House of Representatives passed two anti-spyware bills, which could send spyware peddlers to prison for up to five years or face $3 million in fines. But the ultimate protection is to download and update anti-spyware software such as Ad-Aware or Spybot Search and Destroy. Experts suggest shelling out the extra cash for programs that automatically monitor spyware invasions.
Ironically, the rise of interest in Hollywood cyber-drama hasn’t created a boom in consumer awareness. It’s one thing to fall for a phishing scam, which can be avoided easily enough by simply calling a financial institution before submitting private financial information online, but other forms of electronic identity theft are not as easy to protect against. Subscribers who typed in the Web address of the New York City-based Internet service provider, Panix, were stealthily redirected to a dummy site in Australia; once there, the site attempted to lure visitors into submitting compromising personal data. Known as pharming , this insidious spin-off of phishing can be exacted via viruses, such as the notorious Banker Trojan, or hacker exploits of firewall servers. ”This could rapidly worsen as attack systems become more automated,” says Peter Cassidy, secretary general of the Anti-Phishing Work Group, an association of business and law enforcement organizations.
Sometimes, however, identity theft doesn’t rely on the consumer’s role at all. Such was the case last year when MasterCard International revealed that names, accounts, and security codes of 40 million customers had been compromised by a hacker attack; of these, 68 000 customers were deemed to be at particularly high risk. What to do? Exercise good online hygiene by downloading browser security patches and by running both firewalls and anti-virus software. Make sure everything is up to date. And don’t get lulled into thinking that cybercrime only happens in the movies.
About the Author
David Kushner is a journalist and writer. His latest book, Jonny Magic and the Card Shark Kids (Random House, 2005), is about underdog gamers who hit Las Vegas. His previous book is Masters of Doom (Random House, 2003), about the co-creators of the video games Doom and Quake. He has also written for Rolling Stone , The New York Times , Wired , Salon , Spin , and other publications.