Ethics @ Work: The institutionalization of Internet crime

I was naturally intrigued by a story claiming that Israel has the highest level of Internet-fraud perpetrators per user.

By ASHER MEIR
internet cafe computers (photo credit: )
internet cafe computers
(photo credit: )
In my never-ending quest for original Israeli business ethics stories, I was naturally intrigued by a story claiming that Israel has the highest level of Internet-fraud perpetrators per user. The cited source was a semi-annual report issued by Internet security firm Symantec. But the report does not actually give much detail about Israel, which is after all a little phish in the pond despite its disproportionate impact. It is far too early to declare Israel the champion in on-line fraud. However, the report itself is a fascinating glimpse into the international underworld of Internet crime. I am tempted to turn this column into a kind of reader service and just list some of the thousand unnatural shocks that virtual flesh is heir to. But anyone interested in details can download the report himself. (Or something cleverly camouflaged as the report by some Internet criminal.) In this column I will concentrate on one aspect of the report: the remarkable sophistication of Internet crime. A lot of Internet crime of the past did not really require much sophistication or cooperation. You certainly don't have to be a genius to send spam. Most "phishing" expeditions are also pretty amateurish. ("Phishing" means using some kind of bait to lure users into providing private information. Like the poor guy from central Africa who has to find someone help move $15 million to a foreign bank if you'll only give him your account information.) When technical prowess was needed, it was generally of the kind that could be provided and exploited by an isolated clever individual. One ingenious youngster can figure out how to steal credit card information; then he (or she - according to one site, 25% of Internet criminals are women) sells the numbers to someone else who is an expert in using them. Above all, these efforts had a fly-by-night character. You stole the information and sold it the same day, or soon after. Even a denial-of-service attack, which required coordinated activity, could be planned and carried out in a short time and the perpetrators could then disperse. The advanced strategies enumerated in the Symantec report sound much too complex to be implemented by isolated individuals. They require teamwork and patience. For example, there is a rise in multi-stage strategies. A "Trojan horse" (a program which the user intentionally installs, not knowing its malicious nature) is then used as a security breach to install further system vulnerabilities. Or a dating/friendship site is tampered with in order to provide information which is then used to design a custom-made phishing lure. (Symantec calls this "intelligence lead phishing.") In addition to multi-stage strategies, some of the approaches require combinations of expertise - for example, computer knowledge combined with knowledge of financial institutions. The picture that emerges is not of isolated hackers but rather of hi-tech startups. For example, the report states that "Consolidated bot networks will likely mean that organizations will have to deal with a well-entrenched, experienced, and dedicated group of bot network owners instead of a population of hobby hackers." For me, the most fascinating evidence of institutionalization was the following: "Throughout 2006, Symantec detected an average of 27 percent fewer unique phishing messages on weekends than the weekday average of 961." While this may just reflect the amount of e-mail read or a lessened ability to exploit readers on weekends when some businesses are closed, it suggested to me that the Internet criminals of today are working nine-to-five jobs in regular offices with cubicles and collecting monthly paychecks. I imagine that between scams they stand around the water cooler shooting the breeze and endure endless staff meetings with boring Power Point presentations bearing obfuscatory titles such as "Functional modalities in intelligence lead phishing." A recent article in "e-week" magazine revealed that employees in this industry are recruited by mundane ads in ordinary employment listing sites. When the author replied to one of these ads seeking a "money mule" who could exploit stolen credit card numbers, he was contacted by the hiring manager of the company, who explained the salary arrangement. (Not enough to get rich, by the way.) The company then sent a personal information form and a detailed employment agreement. This in turn suggests that laws regulating this activity are weak or weakly enforced. People don't have nine-to-five jobs in activities that can easily land them in jail. This suspicion is supported by a little bit of research. Based on a small amount of Internet research, I could find only a few dozen cases of people convicted for Internet fraud. A large fraction of these were actually cases of corporate crime, where recognized corporations launched sophisticated attacks on competitors. While further research is needed, it is clear to me that the law is lagging far behind the reality in Internet crime, and that new legislation is needed in Israel and elsewhere to drive Internet crime much farther underground. ethics-at-work@besr.org The writer is research director at the Business Ethics Center of Jerusalem (www.besr.org), an independent institute in the Jerusalem College of Technology.