Advertisement

The Web: Beware of 'spoofing' scams

By GENE J. KOPROWSKI, UPI Technology News

A weekly UPI series examining the global telecommunications phenomenon known as the World Wide Web.

--

Advertisement

CHICAGO, Jan. 14 (UPI) -- An e-mail newsletter, apparently from a well-known national newspaper, arrives in your in-box. You read the content and see ads for such leading brands as Best Buy and Citibank. The message includes an amazing offer from the electronics retailer -- $25 for a new operating system software package on CD.

The problem is the newspaper, the ads and the offer are illusions, scams -- frauds.

"Creating a scam like this is extremely easy for con artists," said Felix Lin, co-founder and chief executive officer of Qurb Inc., an anti-spam software developer in San Mateo, Calif.

"And it can be very lucrative for the con men who are carrying it out. But it is damaging to the brands involved, and costly for everyone who falls for their traps," he told United Press International.

Advertisement

Confidence tricksters simply go to the Web site of the brand they are targeting, and cut and paste the content of the ads they wish to emulate into their own files. Then they add hyperlinks to their own, secret sites, where the unwary, who click on the link seeking a great deal online, are asked to enter in their Social Security numbers, driver's license and credit card numbers, and bank account passwords.

"It's called brand spoofing," Lin said.

Another pernicious thing about this underground trend is it dupes people by playing off the deep discount mentality that legitimate online brands, like Amazon.com, have fostered in the Internet marketplace.

"Consumers expect that there will be deals online, free shipping, et cetera," Susan Larson, vice president of global content at SurfControl PLC, in Scotts Valley, Calif., an anti-spam software developer, told UPI. "They play off of that."

Anti-spam software companies first detected brand spoofing last March.

"The bad guys have been looking for new angles to exploit online," said Michael Weider, chairman and chief technology officer at Watchfire Corp., in Waltham, Mass., another anti-spam software developer. "They realize that people trust brands and want to fool you into thinking that they're Bank of America or Citibank. They're exploiting the trust relationship between consumers and brands."

Advertisement

Fraudulent brand advertisements accounted for one of every 100 commercial e-mail messages sent last October. By November, the figure had grown to one out of 25 e-mail messages, and by December, brand spoofing represented one in 20 commercial messages sent online.

"That's 5 percent of all the spam," said Larson, whose firm is monitoring the trend. "It was building up there at the holiday season."

The swindlers use so-called open proxy servers, which enable them to send nearly untraceable e-mail messages, under the guise of legitimate companies.

Research conducted by the University of Oregon Computing Center in Eugene demonstrated recently that the number of open proxy servers increased from 1,000 in 2002 to 100,000 last year.

Major brands, like Microsoft, Sony Electronics, UPS, Pay Pal and First Union Bank, all have been impersonated by these cyber-grifters, who can profit by charging the credit cards of gullible buyers.

"It's dangerous," Lin said. "A lot of companies aren't being proactive enough in protecting their own brands and protecting consumers."

The imposters are becoming very audacious by creating entirely fictional brands online -- companies and products that do not even exist, except in the minds of the criminals, Larson said.

Advertisement

"This is organized crime on the Internet," she added. "Quick and dirty profits, and profiteers."

Purported commercial organizations are not the only ones spoofing online, however. Alleged non-profits are doing so as well.

Radical groups have established fronts throughout the United States, posing as ostensibly cultural organizations, and are marketing themselves heavily online, Steven Emerson, author of "American Jihad: The Terrorists Among Us" (The Free Press, 2002), said during a Jan 9 speech at the National Strategy Forum lecture at the Chicago Athletic Association.

Using the Internet, as well as other technologies, like CD-ROMs, and DVDs, these groups spread the message of jihad throughout the United States and recruit would-be jihadis, all the while raising funds from unsuspecting Americans, as if they were legitimate non-profits, he said.

"The FBI does not expose these organizations unless they know a crime has been committed," said Emerson, executive director of the Investigative Project in Washington, D.C., a group that tracks terrorists. "There was a major Hezbollah conference in Kansas City last week, and the participants were yelling, 'Death to America.' These are radical people, feigning moderation."

Spoofing is beginning to attract the attention of authorities, however. U.S. Attorney for the Northern District of Illinois Patrick Fitzgerald and Joseph A. Morris, former associate U.S. attorney general -- both active behind the scenes in national security affairs -- and a top FBI special agent from the Chicago office, attended Emerson's lecture.

Advertisement

How can one tell if an organization is what it claims to be online?

Matt Dircks, vice president of anti-spam software developer NetIQ Corp., of San Jose, Calif., said if you receive an offer online, make sure to check out the seller's Internet Protocol address, before transacting any business.

"If it says Citibank.ru, as in Russia, be wary," he told UPI.

Whether a for-profit or non-profit company sends an e-mail solicitation, and the IP address seems legitimate, people should look through the site to see if there is a corporate history page, as well as sufficient contact information to reach the firm offline, Larson said.

"If you can't reach them by telephone to confirm the offer, it could be fraudulent," Larson added.

Lastly, experts advise, never respond directly to an e-mail ad by clicking on a link in the message -- no matter how familiar you are with the brand.

"E-mail seems to be the medium of choice for these hackers," Weider said. "But very few real banks, or companies, will ask you for financial information by e-mail. These are definitely criminals."

--

Gene Koprowsky covers the Internet for UPI Science News. E-mail science [email protected]

Latest Headlines