THE SINISTER WORLD
OF CYBERCRIME

With all the headlines about hackers who spread viruses or steal data, everyone is now aware of the existence of cybercrime—crimes perpetrated by use of computer or the internet. But have you heard of these shocking cyber invasions? They sound like they’re straight out of a science fiction or crime thriller…but unfortunately, they’re real.

NO ONE IS SAFE

As computer and internet use becomes more common across the globe (the number of internet users has now exceeded four billion), the cybercrime rate is accelerating, too. Any computer in the world can be hacked, even if it’s offline, and everyone is at risk, even if you don’t use a computer. Any database that stores your customer records can be infiltrated by hackers, putting you at risk of identity theft. Criminals have purchased sports cars, obtained drivers’ licenses, and undergone expensive surgeries in someone else’s name. One teenager in Kentucky discovered that he’d “owned” a $604,000 house in California for years. Cybercrime is so rampant, according to Norton Cybersecurity, that it claimed 978 million victims in 20 countries and netted $172 billion in 2017 alone.

A HACKER HAS NO NAME

For most cybercriminals, it’s all about making money, usually by scamming people or ripping off companies. Some—mostly “amateur programmers”—try to make a name for themselves in hacker circles, some prey on people through cyberbullying or blackmail, and in rare cases, cybercriminals terrorize victims in person by stalking or assaulting them.

One of the first, and most chilling, examples of cyberstalking-turned-deadly involved two people from Nashua, New Hampshire, named Amy Boyer and Liam Youens. They went to high school together, but she didn’t know him and had no interaction with him after that, as they attended different colleges. But unbeknownst to Boyer, Youens was obsessed with her and had been since middle school. He published two public websites dedicated to Boyer…and his hatred of her. On his main site, he wrote about wanting to murder her: “Looks like it’s suicide for me. Car accident? Wrists? A few days later I think, ‘hey, why don’t I kill her too?’ ” Then he detailed exactly how he’d do it. It’s not known whether anyone read the site; if so, they didn’t report it. Youens bought information about Boyer—her birth date, Social Security number, and home and work addresses. On October 15, 1999, he went to her workplace and followed through with his savage plan, shooting her and then himself.

The fact that Boyer’s cyberstalker went undiscovered isn’t unusual. Most cybercriminals are evasive. “Hackers tend to be faceless, nameless, indeed, anonymous,” writes tech journalist Amanda Schupak. It’s difficult for authorities to track them down, and because they may reside anywhere in the world, bringing them to justice is nearly impossible. Of the estimated 2.5 million U.S. cyberstalking incidents from 2010 to 2013, the Department of Justice prosecuted only ten cases.

Images

The site of Julius Caesar’s assassination in 44 BC is now a no-kill animal shelter for cats.

“YES, I’M OPRAH”

A more common cybercrime is identity fraud, which claimed nearly 17 million U.S. victims in 2017. One of the most outrageous cases, involving a Brooklyn busboy named Abraham Abdallah, occurred in 2000. Although identity theft has been around for centuries, it surged around that time with the rise of computers. That’s because electronic databases store a wealth of personal data, and for the first time, access to those databases through the anonymity of the internet made it possible for any hacker to pose as someone else.

Abdallah didn’t pose as random people, though; he impersonated famous ones. In an operation that the NYPD called the biggest identity theft in internet history, Abdallah used public library computers (and his own ingenuity) to hijack the accounts of America’s richest people. Choosing his victims from a dog-eared copy of the Forbes issue listing the 400 richest Americans, Abdallah was able to find their Social Security numbers, phone numbers, mothers’ maiden names, and other bits of personal data, which he jotted down in the magazine, next to each celebrity he targeted. Among his victims were Warren Buffett, Steven Spielberg, Martha Stewart, Michael Bloomberg, and Oprah Winfrey.

Here’s how the scam worked:

Sometimes pretending to be the millionaires, other times posing as their financial advisers, Abdallah called his victims’ banks to gather information about them.

Using forged corporate letterheads with official-looking stamps from Wall Street companies, he convinced credit bureaus that he worked for Merrill Lynch and Goldman Sachs. Credit agencies sent him celebrities’ credit reports with account info.

This was key: Using a high-tech phone with internet access, Abdallah set up virtual voicemail and e-fax accounts in his victims’ names. Each account had a different area code, depending on where the victim lived. He then created a greeting, pretending to be the celebrity. (Before remote-access voicemail, the scammer would have needed separate mobile phones for every victim.)

Through anonymous e-mail accounts, Abdallah requested that funds in the millionaires’ bank accounts be transferred to new accounts that he’d set up. And he left a callback number. If banks called to verify the transactions, Abdallah intercepted the message remotely and returned the call. In almost all cases, he was able to convince banks that he was the account owner.

In addition to trying to steal their money, Abdallah used victims’ credit cards to rent P.O. boxes and buy goods that were later shipped to those boxes.

To further help evade authorities, he hired couriers to pick up and deliver packages to him.

Images

Porpoise comes from a French word that means “pig fish.”

Thanks to his meticulous planning, Abdallah was able to steal the identities of 217 wealthy people, from whom he attempted to snatch $80 million. “He’s the best I’ve ever faced,” said NYPD detective Michael Fabozzi, who specializes in computer crimes. “You rarely run into someone this good.” But Abdallah got greedy. A request for a single transfer of $10 million set investigators on his trail, and the hunt ended when Detective Fabozzi nabbed him in 2001. The arrest was like a scene from an action movie. Abdallah jumped in his car and tried to drive away, but Fabozzi leaped on top of the car and dove headfirst through the open sunroof. He wrangled and handcuffed Abdallah while still upside down with his feet poking through the roof. Result: the scammer got 11 years in the slammer.

INFORMATION AT YOUR FINGERTIPS

As technology has evolved, so has cybercrime. Consider biometric identification, which sounded like science fiction not that long ago. Biometrics are physical characteristics that are uniquely yours, such as fingerprints, facial or iris structure, or the configuration of veins in your palm. Someone can create a biometric identity by, for example, scanning their fingerprint into a computer system, which stores the data. Each time they need access to a secure device or area, they provide a fingerprint that the computer system then compares to one in its database and allows (or prevents) entry. Biometric identification is convenient and easy to use. Perhaps you already swipe your finger to make PayPal payments on your phone. Or you place your palm on a reader to give high-tech hospitals instant access to your health history. In Europe, some ATMs now use fingerprints instead of PIN numbers, and some banks are inviting customers to submit a selfie photo that can be used to authorize digital transactions. Of course, these developments also create opportunities for hackers.

WHAT COULD POSSIBLY GO WRONG?

Biometric authentication is supposed to improve security and reduce cybercrime. Yet it may actually have the opposite effect by establishing biometrics databases…some of which have already been hacked. In 2015 hackers (with possible ties to China) penetrated the U.S. Office of Personnel Management (OPM) and stole files containing fingerprints of 5.6 million federal employees and job applicants. If you’re wondering why the U.S. government, which spent $28 billion on cybersecurity in 2016, can’t keep pace with hackers, the answer is simple: It isn’t a fair fight. To fully protect a network, IT teams must constantly find and patch every new vulnerability that arises. But it takes only one cyber invader exploiting a single hole to jeopardize an entire organization. The worst part about the OPM data leak? Some of the victims were probably U.S. intelligence officers, and the thieves (China) may be able to identify American spies overseas by comparing their prints to the stolen records. And unlike passwords, stolen fingerprints and other biometric data can never be changed, which means they’ll never be safe to use for security purposes. Even if thieves don’t have the ability to replicate a fingerprint yet, they’ll simply hang on to the data until they do.

Images

Roald Dahl almost called his book James and the Giant Cherry.

SCAMMERS GET SKIMMERS

In addition to hacking into databases, cybercriminals steal credit card data using devices called skimmers. You’ve probably heard about card skimmers that copy information from a card’s magnetic stripe. Criminals install them over the card slots at ATMs and gas pumps, and customers use them unwittingly. Now fraudsters are working on next-generation skimmers to capture people’s biometric data.

Fingerprint readers, like the ones on Apple devices, encrypt the data to protect it in case the machine is stolen. Theoretically, cybercriminals could trick people into using a skimmer that saves the raw data, perhaps by installing the skimmer over the fingerprint sensor at an ATM. In 2016 cybersecurity experts at Kaspersky Lab were surprised to discover that criminals were further ahead in this con than they expected. Twelve sellers already offer fingerprint skimmers, and three manufacturers are attempting to make fake palm and iris scanners. Using your biometric data, criminals could produce a high-quality model of your finger to unlock your device or provide digital access to your company’s assets. Researchers have already re-created fingerprints using molded gelatin or Play-Doh, and have produced a 3-D replica of a face…all of which has fooled biometric readers.

Right now, there’s no proof that criminals are reproducing people’s biometrics. It’s too time-consuming and expensive for the common crook to manage. However, it’s no problem for security researchers, people who figure out how to hack devices and then inform their manufacturers. German computer scientist Jan Krissler, for example, demonstrated in 2013 how to fool the fingerprint sensor of the new iPhone 5S without much equipment. He captured the phone owner’s fingerprint from the phone’s surface, but he could’ve easily gotten it from a drinking glass or a doorknob. Using sprayable graphene and wood glue, Krissler created a model of the print and used it to unlock the phone. He figured out how to do this in less than two days. Even more astounding, the next year, Krissler duplicated someone’s fingerprints using photos of her hands, (taken at different angles with a standard camera), plus some commercially available software. And the fingerprints weren’t just anyone’s—they belonged to Ursula von der Leyen, Germany’s minister of defense.

For more ways that the Web enables cybercriminals, surf over to page 348.

Images

Tulips come from Turkey.