Crime

Many have the misconception that their activities in the internet can not be traced back to them so they engage in activities that they would never do if their identities were known.  As I’ve said before, the internet is not anonymous despite everything you see on your local news, on your favorite TV show or in the latest blockbuster. While the way the internet is designed provides technical information that can be used to determine someone’s identity, human nature (especially how it relates to social networking sites) also provides clues that can be used to find a person.

Two weeks ago Asia McGowan was gunned down by a classmate that happened to be obsessed with her. This classmate spoke of killing her and committing suicide in his videos on YouTube. This was reported to Detroit police, however, they were unable to see the video and therefore did not act to prevent her death. The fact of the matter is that most local police departments are ill-equipped to deal with any kind of crime involving the internet. That is where we as internet citizens come in.

I found out about a story from Jessie X where a teenager recorded himself abusing a cat and posted the video on YouTube. He was swiftly brought to justice because of the actions of internet citizens like you and me.  Here’s an account of what happened by Alan Ferguson:

I monitored the online discussion of the Anonymous with a strange sense of excitement about the endeavor.  It was interesting to see them:

• Track down the YouTube account’s zip code
• Facebook and MySpace search for the zipcode and username
• Confirm they had found his MySpace page (via an image showing the same carpet and background as found in the video)
• Confirm the boy’s Facebook page
• Confirm that his name is  Kenny Glenn
• Post the boy’s name, age, location, school everywhere
• Post the boy’s mothers’ name, cell #, work address and work phone
• Post the number to the local news station and the sheriff’s office
• Flood the news station and local law enforcement with phone calls and emails explaining the situation

The same day the teenager was arrested complete with news coverage of the arrest.  If all of that can be done to save a cat, shouldn’t we do the same to save the life of a human being?

Photo credit: Pinot & Dita

I just read the shocking story of how college student Asia McGowen was gunned down by her stalker Anthony Powell who then killed himself. He had been stalking Asia on YouTube and Facebook, leaving her nasty and threatening comments. He had also made videos about her as well as other videos railing against black women, atheist and other topics. While he used YouTube and Facebook to stalk her, he actually knew Asia from a class at Henry Ford Community College in Dearborn, Michigan.  Since he shot her at point blank range it was likely that she had no idea that Powell was her stalker (they were in a classroom together alone when he shot her).

According to YouTuber infamoustrag, Powell made a video saying that he had a shotgun and was going to use it to kill himself or the object of his affection, Asia. He reported it to Detroit police who were unable to watch the video.

A lot of the focus seems to be on her being on YouTube and Facebook (a lot of blaming the victim) completely disregarding that Powell actually knew McGowen in real life and was obsessed with her.  He knew her from school not Facebook or YouTube.  He most likely would have attempted to do this anyway without use of the internet. While YouTube and Facebook were the method Powell used to harrass McGowan, they could have saved her life if anyone had taken the threats seriously. Most times after incidents like this all the people come out of the woodwork to say “We never thought he’d do something like this,” but in this case it was all over the internet. The internet is not anonymous (even when you register for a site with bogus information they know where you are). Had they complained to YouTube and Facebook they may have been able to get information on the source of the threats to identify this guy before this happened. The police definitely could have gotten this information from Google or Facebook.

I think that we as internet citizens need to be more vigilant when we see threatening or other behavior that can hurt others. The video where the guys say what he’s going to do should have been on the news and police should have been at his door. Save the threatening material on your own computer and don’t trust that it will still be on YouTube, Facebook, MySpace or wherever later. Local police departments are mostly clueless when it comes to the internet so if we really feel that something is going to happen we might have to bug them to death (and hold their hands to understand) to get them involved in a case. There’s a lot that YouTube and Facebook can do as well but many don’t know that if they are contacted by law enforcement they can be compelled to give information about particular users. But I think the most can be done with users being vigilant about threats – take them seriously, report it to the authorities (not just to the service provider) and MAKE them respond.

A lot of attention has been given to increasing awareness about phishing. The goal of phishing is to lure unsuspecting people to voluntarily give up their website credentials with the intent of exploiting those credentials for financial or other gain. Some phishing scams only seem to spam and propagate itself. Most web savvy users know not to trust emails that appear to be from his bank about a security breach including a link to log in to verify the account.  But is that all one needs to know?

On December 16, 2008, I received an email from CheckFree, an online bill payment service, saying that my computer may have been exposed to malicious software putting my computer at risk. At first glance, I thought it was a phishing scheme but then noticed that my full name and address were included in the email.  After reading the email again I realized what must have happened.  Customers who tried to log into CheckFree’s bill payment service were redirected to a site that downloaded malware onto their computers.  (Forgive me for being the high-technology crime investigation geek but I was intrigued by that redirection process (called pharming).  I did a paper on phishing and pharming a few years ago but at that time there were no concrete examples of pharming.)  Like phishing, pharming involves sending a user to fake websites that look like the actual site in an effort to get the user’s account credentials or other personal data, but with pharming the URL in the address bar will be that of the actual site making it difficult to identify it as a fake.  In such a case you can’t trust your eyes or your browser.

Without looking further, the drive-by malware download would make it appear that CheckFree had been hacked, however, the criminals did not have to do that.  Pharming instead involves gaining access to a websites domain registrar to point the website URL to a nefarious server.  That is what happened here.  Access to CheckFree’s account at Network Solutions was obtained by sending a phishing email to CheckFree’s system administrators.  The Network Solutions account was then used to point the CheckFree.com domain to a server in the Ukraine.

In this attack, users received a blank page and a drive-by malware injection at CheckFree’s site.  If the attackers had put up a login page instead we would probably be hearing about all kinds of suspicious payments right now.  A login page would have affected more users:  while the malware only affected Windows users, a login page would have affected users regardless of the operating system.  We still don’t know how many customers were affected or what the malware does.

I was not affected outright by this attack for several reasons including that I stopped using the MyCheckFree.com branded bill payment service opting instead to use the one provided by my bank.  The troubling thing about this, however, is that CheckFree is the largest bill payment provider in the United States.  If you are using an online bill payment service provided by your bank, it is most likely a co-branded CheckFree service.  What I have read about this pharming incident is suggests that only users of the MyCheckFree.com website were affected.  But I do wonder if any of their other services could be affected by this attack.  CheckFree has also started notifying customers who use their bill payment service through banks.  In addition, I wonder if any payment information in transit could have been affected or accessed.  I was a developer in the electronic payment group of a bank some time ago and I don’t quite remember if payment information between banks is sent via the domain address or an IP address but it’s a question worth asking.  With the encryption and authentication schemes that they use that might not have been a problem but I haven’t seen it mentioned anywhere.

According to accounts I read, 5 million customers could have been affected by this attack. It is our job as customers to be vigilant in holding companies accountable for protecting our personal data.  To it’s credit CheckFree is contacting customers and offering complementary virus scanning software.  But is that enough?  If the hacker had gained access to customers’ accounts, they would have access not just to bank accounts but also to creditor accounts.  It’s hard to even imagine the amount of work to remedy those kind of consequences.

Photo credit: iStockPhoto