Dissecting a virtual world phishing attack

An interesting development in the latest cybercrime trends has been a marked increase in attacks against online games and virtual worlds, as I have posted previously. One element that I have missed in the discussion about game hacking has been the methods with which cyber-criminals obtain login details and passwords in order to empty the virtual coffers of gamers around the world. I had generally assumed that hackers obtained passwords through a combination of means, including keylogger software, social hacking, guesswork and bad security on the part of the user. I was not aware of large-scale phishing attacks, so when I received my first WoW phishing message, I was both taken aback by its realism, and also in awe of how many people must be falling for this.

First some background. Last year I opened a US World of Warcraft account for occasionally playing when I am back in Costa Rica. I generally do not use this account, so it would be ripe for hijacking. Yesterday I received this message from what looked like a legitimate Blizzard account. I will reproduce it in its entirety only removing the actual link for obvious reasons:

------------------

Subject: Blizzard Account Administration
From: Blizzard [donotreply@blizzard.com]
Reply-To: Blizzard [donotreply@blizzard.com]

Greetings,

An investigation of your World of Warcraft account has found strong evidence that the account in question is being sold or traded. As you may not be aware of, this conflicts with Blizzards EULA under section 4 Paragraph B which can be found here:
WoW -> Legal -> End User License Agreement

And Section 8 of the Terms of Use found here:
WoW -> Legal -> Terms of Use

The investigation will be continued by Blizzard administration to determine the action to be taken against your account. If your account is found violating the EULA and Terms of Use, your account can, and will be suspended/closed/or terminated. In order to keep this from occurring, you should immediately verify that you are the original owner of the account.

To verify your identity please visit the following webpage:
[HTTPS link removed]

Only Account Administration will be able to assist with account retrieval issues. Thank you for your time and attention to this matter, and your continued interest in World of Warcraft.

Sincerely,
Account Administration
Blizzard Entertainment

------------

This was a short and concise message that actually seems plausible, as it arrived to the email account with which my US WoW account is registered. It reads well, with no suspiciously dodgy English or ludicrous made-up names; it also points to the relevant legal documents and articles. Thankfully, I immediately checked the links, and rightly enough, the most important one did not direct to Blizzard, it led to ripside.com, which is a small website hosting service. I visited using Google Chrome (which is new enough not to have developed exploits), and this is what I found:

Which looks exactly like the Blizzard's own account management screen found here. Once I entered some meaningless login and password, I got a large page asking for all sorts of details, including name, address, email, and interestingly, the following:

In short, this is all that is needed for anyone to hijack an account, take all the money and items with them, and run. Every guild has stories of members who have been compromised, and from time to time one can hear the desperate cry of a poor sod in Trade chat who shouts "I'VE BEEN HACKED!"

It is important to stress that Blizzard seems to be taking this very seriously, so they have initiated a campaign to make sure users are aware of the security risks involving their account. There is also a procedure in place in order to reinstate money and items to the victims. However, what is not mentioned anywhere is that these actions constitute a crime, and I am concerned that this is precisely the reason why there is such an increase in hacking activities against gamers. As I have mentioned before, there seems to be some reluctance from crime enforcement agencies to respond to cybercrime in general, and game account hacking would seem to be even at the lowest end of priorities. So, a geek had his magic sword stolen? Who cares?

If hackers have moved towards sophisticated phishing attacks, then we are talking about an entirely new level of engagement. Banking phishing sites are usually taken down within hours of the attack through action from anti-phishing organisations. However, the offending site in this specific attack is still up and running 24 hours after the message was received. This seems to indicate that cyber-criminals are catching up to efforts to curb their scams, and are moving to easier pickings in the shape of virtual worlds. The fact is that virtual goods are worth real money, so the temptation for criminals to make some quick earnings through hacking must be the drive behind the growing number of hijacks. While a criminal will certainly get more money from hacking a bank account, it seems that they realise that hacking a virtual world account is less likely to result in prosecution.

The last element in the line of attacks is that according to the email headers, this message came from New Zealand and what appears to be a compromised Hotmail account. Hotmail seems to be a favourite of phishers and spammers, with Youtube videos explaining how to create fake Hotmail accounts.

Much as with bank phishing, there seems to be a toxic triangle that allows some of this to happen. Firstly, email services like Hotmail seem to make it easy for hackers to exploit the system to send fake emails. Secondly, law enforcement and anti-phishing authorities seem unaware and/or uninterested about the phenomenon. Thirdly, users are still falling for many of these attacks due to lack of care and lack of education.

I'm now off to install some anti-keylogger software. I don't want to lose my enchanted knives.

Why all computer security is flawed...

xkcd once more manages to distil complex issues in an understandable and undeniable manner.

The weakest point in any computer security system is the carbon-based element managing the keys.

New Windows virus infects millions of computers

Some years ago, headlines describing global virus infections were commonplace. Does anyone remember the ILOVEYOU virus, the Melissa worm, and Code Red? Lately, while virus and worm threats have not diminished, their reporting has become less prominent. Have you heard about Nyxem, XSS and Sotrm? Neither had I.

The less prominent reportage may have several causes. Viruses and worms have become so widespread as to lose their newsworthiness, the first shell in a war makes headlines, but the 1,000th does not. Similarly, the big spectacular infections are no longer possible; with more and more people protected by firewalls and anti-virus, infections tend to be spread over time rather than one spectacular burst of activity. The other reason of course is that nowadays worms and viruses tend to be less destructive and more pervasive. Probably there is a higher number of infected machines than in earlier years of the Internet, but modern worms tend to have mostly two functions: serve spam and enslave a machine for future use.

These trends have been broken by Conficker, the latest worm spectacular affecting 9 million computers around the world.This worm affects mostly a Windows Server 2003 vulnerability that was first discovered back in October, which "could allow remote code execution if an affected system received a specially crafted RPC request". Although the bug was fixed and an update made available, millions of computers have not installed it, making it a prime target for clever worm coders. The virulence of the worm has taken experts by surprise, the infection is still going on, particularly hitting machines in emerging economies quite badly.

I will once again apply my better nature and I will refrain from gloating about Mac vs PC security, but there are several interesting issues unearthed by this latest attack. Firstly, computer security has become one of the most important Cyberlaw issues in recent years because most of us rely heavily on computers for our daily tasks. There is a direct proportional correlation between vulnerability and the number of users online; as more people become wired and the digital divide diminishes, more systems are available to hackers. Moreover, I strongly feel that there are some practices at Microsoft that enhance vulnerability for everyone.

Allow me to illustrate the point with an anecdote. My MacBook Pro has dual boot because I still have need Windows for various tasks, particularly when I am remotely editing SCRIPTed. For that purpose I purchased and installed a valid yet cheap OEM copy of Windows XP on my Mac. Back in December I logged into the Windows portion of the hard drive, and because I had not logged in for a while it downloaded a large number of updates, amongst them the much maligned Windows Genuine Advantage (WGA). This wretched upgrade turns your machine into a snitch, and it somehow did not like that I was running an OEM copy of Windows on a Mac, so it turned on several nagging notices, as well as changing the Windows background and logging splash screens with annoying messages. While getting rid of WGA is relatively easy for someone who knows what they're doing, this got me thinking that WGA acts as a potent disincentive for people without valid copies of Windows to download updates in fear that their computer will stop working properly. It should be no coincidence that large number of computers in India, Brazil, China and Russia. It is my contention that the reason for such prevalence in emerging economies is not the lack of expertise, but actually the lack of updates because people have stopped trusting them due to WGA.

Internet security is as good as its weakest systems, and as things stand, there are millions of vulnerable PCs. While Windows Vista came with some robust protection preinstalled, many of its features were removed by the user as soon as possible. Computer security must be both non-intrusive and easily scalable. At the moment, Microsoft does not have either.

IE security flaws

The BBC is reporting that there is a new fatal flaw with Internet Explorer that allows hackers to gain access to a computer and steal passwords. In other news water is wet, politicians lie and Windows Vista is a huge disappointment.

Seriously though, this is usually the perfect opportunity for the blogger to pontificate about the evils of Microsoft and recommend readers to switch to Firefox/Safari/Opera/Chrome as of yesterday. Another tactic is to smugly admonish poor sods still using Internet Explorer to realise the folly of their ways and learn to love open source development. And then there is even a chance for Apple-heads to unleash a wave of self-righteousness and claim that this would not happen on a Mac. I will forego the temptation to fall into the aforementioned stereotypical actions, although I am truly fighting the urge to utter the predictable "I told you so", or the always-satisfying Nelsonian "HA HA!"

Instead of any unbecoming haughty displays, I notice that this exploit was designed to steal game passwords. As I've mentioned earlier, one of the fastest growing areas of cybercrime is the theft of virtual goods on games like WoW, where the in-game gold has acquired real currency value. It should be quite telling that this exploit is not being used to purchase things on eBay or Amazon, but to steal virtual goods. Perhaps the payout is not as big, but the risks seem much less. I don't think a cop is going to prosecute a hacker for stealing magic items on WoW.

FBI scam

As a long-time watcher of Nigerian 419 scams, I felt obliged to pass this beauty on. Enjoy.

Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc

Attn: Beneficiary,

This is to Officially inform you that it has come to our notice and we have thoroughly Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal Transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, Dr. Philip Mogan, none officials of Oceanic Bank, Zenith Banks, Barr. Derrick Smith, kelvin Young of HSBC, Ben of FedEx, Ibrahim Sule,Larry Christopher, Dr. Usman Shamsuddeen, Dr. Philip Mogan, Paul Adim, Puppy Scammers are impostors claiming to be the Federal Bureau Of Investigation. During our Investigation, we noticed that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment.

Therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in total USD$11,000.000.00 in an ATM CARD which you can use to withdraw money from any ATM MACHINE CENTER anywhere in the world with a maximum of $4000 to $5000 United States Dollars daily. You now have the lawful right to claim your fund in an ATM CARD.

Since the Federal Bureau of Investigation is involved in this transaction, you have to be rest assured for this is 100% risk free it is our duty to protect the American Citizens. All I want you to do is to contact the ATM CARD CENTER via email for their requirements to proceed and procure your Approval Slip on your behalf which will cost you $260.00 only and note that your Approval Slip which contains details of the agent who will process your transaction.

CONTACT INFORMATION
NAME: MR. DANIEL WILSON
EMAIL: danielwilson437@yahoo.com.cn

Do contact Mr. Daniel Wilson of the ATM CARD CENTER with your details:

FULL NAME:
HOME ADDRESS:
TELL:
CELL:
CURRENT OCCUPATION:
BANK NAME:
AGE:

So your files would be updated after which he will send the payment information's which you'll use in making payment of $260.00 via Western Union Money Transfer or Money Gram Transfer for the procurement of your Approval Slip after which the delivery of your ATM CARD will be effected to your designated home address without any further delay.We order you get back to this office after you have contacted the ATM SWIFT CARD CENTER and we do await your response so we can move on with our Investigation and make sure your ATM SWIFT CARD gets to you.

Thanks and hope to read from you soon.

ROBERT S. MUELLER, III
DIRECTOR, FEDERAL BUREAU OF INVESTIGATION
UNITED STATES DEPARTMENT OF JUSTICE
WASHINGTON, D.C. 20535

Note: Do disregard any email you get from any impostors or offices claiming to be in possession of your ATM CARD, you are hereby advice only to be in contact with Mr. Daniel Wilson of the ATM CARD CENTER who is the rightful person to deal with in regards to your ATM CARD PAYMENT and forward any emails you get from impostors to this office so we could act upon and commence investigation.

Jury decides on cyberbullying case

A Federal jury in Los Angeles has convicted Lori Drew of three misdemeanour counts of computer fraud, specifically accessing a computer without authorisation. This is not unusual in itself, but the novelty of the decision is that Ms Drew's conduct was to create a fictional MySpace account to bully neighbour teenager Megan Meier, who committed suicide as a result of the emotional distress caused by Ms Drew.

I have commented already on the strange tactic by Federal prosecutors of using anti-hacking law against cyberbullying. While the jury did not believe that the action was a felony, and therefore only convicted the action as misdemeanour, I still find that the legislation does not really fit the offence. Lori Drew's conviction should be taken as the potential criminalisation of breaching Terms of Service, something that I am not sure the law was designed to accomplish to begin with.

It is possible that this case is a one-off, but a worrying precedent has been set.

Cybercriminals making a killing on magic swords

(via Pangloss) The European Network and Information Security Agency (ENISA) has published a report about the prevalence of cybercrime against virtual world inhabitants. The report states that:

"2007 was the year of online gaming fraud – with malicious programs that specifically target online games and virtual worlds increasing by 145% and the emergence of over 30,000 new programs aimed at stealing online game passwords. Such malware is invariably aimed at the theft of virtual property accumulated in a user’s account and its sale for real money."

Pretty interesting, considering that the real-world value of virtual goods is growing in value, with some experts placing the total GDP of virtual worlds in the trillion of dollars. As these virtual goods become more likely to be exchanged for real money, they will continue to be the target for hackers and cyber-criminals with the intention of removing online gold and other valuables in order to sell them on the virtual markets in exchange for real currency.

The likeliest scenario of a virtual robber is that of a gamer who has his/her password stolen, and then the criminal enters into their account, removing all gold and tradeable valuables, which are then sent to a third party, and probably removed once more to remove traces of the goods. The gold then is sold to third-party gold sellers in China, where it is exchanged to real money when some gamer buys it.

The report also has a likely scenario for attacking guild banks.

"In games such as World of Warcraft, in-game guilds have banks where they store their most valuable items. Full access to such guild banks is limited to players high in the guild hierarchy. However guilds often have web sites open to guests where information such as email addresses, instant messaging usernames and social networking details, are available. Members of the guilds are also active in forums. This leads to the following attack scenario:
• Attacker visits guild sites or forums and checks in the MMO/VW to gather a list of high-ranking officers in the guild and their contact information.
• This is used to gain account information that can be used for social engineering, phishing, hacking, etc.
• Attacker logs in as a player, accesses guild bank, and sells all items.
• Attacker changes account details so a player cannot login. "

I have heard from WoW players and guilds who have been victims of such attacks, but I had no idea of the scale of the problem. As the report rightly points out, this type of cybercrime usually goes unreported, and it is not hard to imagine that law enforcement bodies around the world will be highly sceptical about crime that amounts to someone stealing a magic sword, or currency that is not seen as any different from Monopoly money. However, these crimes have real value, and they are a worrying trend.

Hmmm... I wonder if my online characters still have their gold intact.

Smells like teen suicide

(via ORG-Discussion list and various other sources) A teenager in Florida has committed suicide while webcasting the event on video website Justin.tv. Reportedly, as many as 1,500 people were witnesing the event at one time, and some even encouraged the teenager with messages like this one: "Do it, do the world a favour and stop wasting our time with your mindless self-pity."

I have been following the strange obsession that the British media has with the Internet and suicide. I am usually puzzled by the over-the-top technophobic tone with which these news are often portrayed. For example, The Times informs us that:

"According to one charity that works to prevent suicide, there have been at least 17 deaths in Britain since 2001 involving chatrooms or sites that give advice on suicide methods."

Sounds like an epidemic! However, one has to place these figures in context. Young-male suicide is at a 30-year low, while in 2006 5,554 people committed suicide in the UK. In the grand scheme of things, internet-related suicide is negligible. As someone mentioned in an online mailing list, it would be interesting to try to determine if online communities are acting also as a deterrent by offering suicidal people an environment where they can find support.

Perhaps one day there will be measured coverage of sad events such as this one.

Twittering terrorists

From the same people who brought you The War on Terror^TM, comes the latest in terrorist tools: Twitter! Wired reports that an American intelligence outfit has been attempting to guess which tools might be used by terrorist to unleash death and destruction on an unsuspecting populace. GSM phones, chat software and digital maps are on top of the terrorist gadget-wish-list (apparently, the cell phone of choice for the wannabe jihadist is the Nokia 6210 Navigator).

The intelligence report is filled with some quality information. Did you know that Al Qaida has its own social-network site? I would very much like to have access to that one in order to read terrorist profiles:

"Status: On my way to blow up embassy
Listening to: Appetite for Destruction"

The report also highlights the combination of Skype and voice-altering software to mask terrorist conversations from surveillance by security forces. It even has some of the cell-phone backgrounds of choice for the discerning religious fanatic intent on death to the west (hint: no Paris Hilton wearing a skimpy bikini in any of those pictures). But perhaps the best part of the report is its depiction of Twitter as a potential terrorist tool. There's no way I can truly make justice to the real thing, so here it is, straight from the horse's mouth:

What makes Twitter unique is that the member can send Tweets (messages near realtime) to Twitter cell phone groups and to their online Twitter social networking page. They can also Mashup their Tweets with a variety of other tools including geo coordinates and Google Maps or other electronic files/artifacts. Members can direct and re-direct audience members to other websites and locations from "Tweets" and can engage in rapid-fire group social interaction. [...] Twitter has also become a social activism tool for socialists, human rights groups, communists, vegetarians, anarchists, religious communities, atheists, political enthusiasts, hacktivists and others to communicate with each other and to send messages to broader audiences."

Damn those vegetarians, always trying to sell their aggressive and radical no-meat agenda to the naive masses!

So,we will have to add Twitter to the many Web 2.0 tools for terrorism. After all, World of Warcraft is allegedly filled with jihadists intent on destroying our freedoms.

Twitter, bringing death and destruction 140 characters at a time.

Woman jailed for killing avatar

Internet news sites are abuzz with the report that a Japanese woman has been jailed after reportedly "killing" her virtual husband's avatar after a virtual divorce. A 43-year-old Japanese piano teacher was virtually married to a 33-year-old office worker in the online game Maplestory - a cutesy Korean manga-style world.

Reportedly, the husband divorced his virtual wife without warning, and hell hath no fury like an avatar scorned. The piano teacher knew the login details of her online lover, so she entered the game using his password and deleted the character. An avatar had ceased to exist, for all practical purposes, it had been killed. The owner did not take the "killing" lightly, phoned the police, and the Sapporo woman was arrested and taken into custody charged with "illegally accessing a computer and manipulating data". None of the many reports say if she has been released, but the charges carry a maximum sentence of one year and maximum ¥500,000 JPY fine (contrary to the five years claimed by many news sites).

It is perhaps too easy to laugh at the mirth-inducing reports of middle-aged piano teachers and mild-mannered office workers taking their manga characters way too seriously. Nevertheless, it seems evident that there are some interesting legal issues at stake. Firstly, I find it intriguing that anti-hacking laws are being used to protect the integrity of an avatar. The statute in question is the 1999 Unauthorized Computer Access Law, which as the name suggests, penalises unauthorised access to a computer. Art. 3 reads:

Article 3. No person shall conduct an act of unauthorized computer access.
The act of unauthorized computer access mentioned in the preceding paragraph means an act that falls under one of the following items:
(1) An act of making available a specific use which is restricted by an access control function by making in operation a specific computer having that access control function through inputting into that specific computer, via telecommunication line, another person’s identification code for that access control function (to exclude such acts conducted by the access administrator who has added the access control function concerned, or conducted with the approval of the access administrator concerned or of the authorized user for that identification code);

There is no reason why this criminal type would not apply to the present case (that's too many negatives). Moreover, avatars are the embodiment of hours of hard work on the part of the player, and it would be interesting to see if besides the criminal conduct incurred, the perpetrator could also be the recipient of civil action. Nowadays it is possible to allocate real-money value to virtual goods, so a high-level character could be worth a lot of money. If a person deletes the character, shouldn't there be some sort of civil damage recourse as well?

Finally, I think that if this case had taken place in the UK, one could have used the Computer Misuse Act. s1 and s3 of the act penalise unauthorised access and unauthorised modification of computer material respectively.

I'm now off to make sure that my many avatars are still alive.

Flame wars: defamation or assault?

(via Denis Magnusson) A Canadian court has issued an injunction against a stamp-dealer who posted threatening materials on the internet against Richard Warman, a human rights campaigner. The systematic hate campaign by one William Grosvenor included death threats, false accusations of sex with minors, photos of the victim's home address, Google Maps information on how to get to his domicile, and a range of other abusive offences. When granting the injunction, the judge equated them with assault:

"They are threatening and intimidating and, by virtue of their repetitiveness, their detail regarding the plaintiff's whereabouts and their level of malevolence, they are more than empty threats and insults. They are vicious and serious and are to be taken seriously."

Besides an injunction ordering to take down the abusive content, the judge ordered Mr Grosvenor to pay $50,000 CAD.

Interesting case from many perspectives, but I found the equating of constant defamatory and threatening material with assault a novel way of dealing with cyber-offences. As we conduct more of our lives online, it seems logical that an attack on our real and virtual persona will equate an assault under law.

Hacking Palin

An interesting cybercrime and politics story came out this week. Sarah Palin's Yahoo email account was hacked by a group called Anonymous and screenshots were posted in WikiLeaks. Hacking may be too strong a word, what seems to have occurred is more akin to social engineering, as the hackers admitted that they simply guessed correctly Palin's Yahoo security questions. The hacker reset the password by answering Palin's date of birth, postcode and where she met her husband (Wasila High), all easily obtainable facts.

Now the FBI has become involved, as it is a federal offence to have unauthorised access to someone else's email through the Stored Communications Act. The Act makes it a criminal offence to "intentionally accesses without authorization a facility through which an electronic communication service is provided". The perpetrator faces a fine or up to five years in jail if the access was done for "commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State". For any other case, the penalty is one year or a fine. However, the EFF has stated that prosecution may be difficult in case of accessing viewed or opened emails.

While I confess to feeling a pinch of schadenfreude at this case, there is something deeply wrong about accessing another person's email. What seems clear is that privacy settings for famous people are clearly inadequate, as the security questions are anything but.

The hackers strike back

Hacking is back in the news. The BBC reports that hackers in the U.S. infiltrated the computer networks of several companies and stole over forty million credit and debit card numbers. What is unusual about the case is that the hackers targeted their victim's secure wireless access points, and therefore gained access to the internal network.

This case highlights the problems posed by wireless networks. We have know for a while that wi-fi is a convenient yet insecure technology, as it opens systems to any passer-by with the know-how. There is not only the problem of piggybacking, but leaving computer systems and transactions open to interception.

The law already protects such type of hacking adequately, be it through "traditional" anti-hacking legislation, or normal fraud law. The issue then becomes one of law enforcement, evidence and cyber-security. Firms with large wireless networks should be aware that it opens their systems, and therefore the security should take into account that a hacker in the parking lot may have access to sensitive files.

And to top up hacking news, the Beeb also reports also that hackers are targetting Twitter by including trojans in viral video links. As a smug Mac user, I have to point out that this vulnerability only affects Microsoft machines.

Using anti-hacking law to punish cyberstalking

(via The Guardian) An interesting case is taking place in the United States. Megan Meier was a 13-year-old girl from Missouri who had a MySpace page and an active web presence. She received a friend invitation from a 16-year-old called Josh Evans (16), and they exchanged messages and flirted for several weeks. At some point, Josh told Megan that he was leaving town, Meier expressed her love for him, but his messages grew darker. At some point he commented that "The world would be a better place without you". She killed herself one hour after receiving that message.

Sounds like a tragic story of teenage love gone seriously wrong, but this one has a twist. Josh Evans was actually Ms Lori Drew (49), Megan's next-door neighbour. The mind boggles at the mindset that makes someone act so callously, but as someone said, being mean online is not a crime, or is it? In principle, Ms Drew's actions, as reprehensible as they are, do not seem to fall into any criminal type, so her cyberstalking (or cyberbullying?) had gone unchallenged in the courts. However, prosecutors are bringing Federal charges under the Computer Fraud and Abuse Act on one count of conspiracy and three counts of "accessing protected computers without authorization to obtain information to inflict emotional distress". Each count carries a maximum five years in prison, and the case is being heard in the Central District of California because MySpace is based in Beverly Hills.

The legal reasoning behing the indictment is disturbing for various reasons. How can legislation designed to curb hacking and illicit access to a computer be used to accuse a person who has used an online persona to inflict emotional distress? The reasoning from the U.S. Attorny making the charges state that:

"The indictment alleges that Drew, along with others, registered as a member of MySpace under the name “Josh Evans.” Drew and her co-conspirators then used the Josh Evans account to contact M.T.M. and began what the girl believed was an on-line romance with a 16-year-old boy. In taking those actions, the indictment alleges, Drew and her co-conspirators violated MySpace’s “terms of service” (TOS) that prohibit users from, among other things, using fraudulent registration information, using accounts to obtain personal information about juvenile members, and using the MySpace communication services to harass, abuse or harm other members."

This implies, strike that, this clearly states that lying in application forms and therefore violating terms of service is a crime. Say what? This practice is used every single day by thousands and thousands in discussion boards around the world! The prosecutors seem to be stretching the law to breaking point on this one. Specifically, I have read the relevant sections in the Computer Fraud and Abuse Act, and the legislation is clearly geared towards hacking and unauthorised access. Since when is breach of TOS equivalent to hacking?

This case is part of a growing line of murders and suicides where online annonimity, play-acting and misidentification have played a part. There was the strange case of an online suicide pact, or the bizarre case of IM deceit that led to a murder in upsate New York. Therefore, there may be some justification about enacting legislation to protect teenagers against cyber-bullying and cyberstalking, something that U.S. legislators appear to be keen on doing. However, tragic the case is, abusing anti-hacking law to try to punish some reprehensible actions is excessive.

On a semi-related note, it is strange reading some of my old posts. I sound rather unsophisticated!

Think of the children

The British press is going through a feeding frenzy, as tabloids and mainstream media outlets try to outdo each other in reporting the threats posed to children online. The Daily Mail warns us that "Millions of girls using Facebook, Bebo and Myspace 'at risk' from paedophiles and bullies". Even by its low standards, this has got to be the most misleading headline in the history of Internet reporting. The Daily Express tells us that "Parents warned of website predators". A word of advice to the good folks at the Daily Express, update your stock photographs to reflect that the century has changed.

At the heart of the media feeding frenzy is a report by Ofcom (full report here, thanks Daihí!) that warns parents about the potential dangers of social networking sites. What seems to be a measured study has been translated by parts of the press into yet another cluster of accusations that the Internet is filled with predators and filth.

This of course comes on the tails of the Byron Review entitled "Safer Children in a Digital World". I have finally gone through the report, and I am troubled by some of the broader claims made. While I applaud the attempt to make evidence-based policy-making decisions, I am afraid that the Byron report is long on speculation, and short on sound evidence. I was particularly struck by the Review's treatment of gaming. While it recognises that there is little evidence on the harms of violent video games, it goes on to make some tenuous links to ethnographic evidence that it may be harmful. Online gaming was cited as a particular worry, although here the evidence was even thinner.

The public perception of the internet as a bad place is one of my pet-peeves. I am amazed by how easy it is for journalists to paint the online world as a scary place full of monsters. There is a sector of the British press that relishes any chance to scare parents silly about the dangers of the virtual world, when children are still vulnerable from the usual threats. Bullying and abuse take place as they did before the internet, and the actual recorded cases of grooming do not warrant the volume of the coverage.

Should we think of the children? Of course! The Byron Review is not bad, it has some sensible ideas about online safety, privacy, and self-regulation, but responses should be proportional to the actual threat posed.

Update: Open Education has two excellent posts on the Byron Report, one on the Internet findings, the other one on the video game issues (thanks to Tom Hanson for the heads up).

Cyberterrorism and virtual worlds

(via Wiebke Abel and other sources) Many news sources have been carrying this story. Apparently, the United States intelligence services (who also brought you The Iraq War), are hunting for cyber-terrorists in Second Life and other virtual worlds. Apparently, those dastardly terrorists are coming to a screen near you, envious of your cyber-freedoms and your cyber-way of life, or something like that.

The BBC reports that the operation is codenamed Reynard, and the objective is to look for anomalous behavioural patterns which may give away a terrorist. Wired informs us that the intelligence services will automatically detect "suspicious behavior and actions in the virtual world." Anomalous behaviour? Now that I think about it, it is probably true. I thought that a Night Elf I was teaming with last night was acting rather suspiciously. He aggroed a large mob of dragonkin and wiped us out. Suicide tanking?

Seriously though, this seems to be just hype. I am hoping that this is just one of those silly reports that military services are prone to produce from time to time, akin to looking into mind-control techniques, UFO's, and stopping a goat's heart with thought alone. I cannot imagine that this is a serious proposal from the American intelligence services.

Juan Cole has an excellent piece in Salon on this topic, which can be boiled down to calling the concept of virtual world terrorism "laughable". I am reminded of Adam Curtis' The Power of Nightmares.

Post-modern scam

(via Rena Gertz) When the scam becomes the scam, are we faced with post-modern fraud? This one pretty much redefines chutzpah.

UNION BANK PLC
COMPENSATION OFFICE UNION BANK/ UNITED NATIONS 2007 SCAM VICTIMS
COMPENSATIONS PAYMENTS.
ATTN: SIR/MADAM,
REF/PAYMENTS CODE: UNB/06654 $150,000 USD.

This is to bring to your notice that we are delegated from the UNITED
NATIONS in Central Bank to pay 150 victims of scam $150,000 USD (One Hundred
and Fifty Thousand Dollars Only each).You are listed and approved for this
payment as one of the scammed victims to be paid this amount, get back to
this office as soon as possible for the immediate payments of your $150,000
USD compensations funds. On this faithful recommendations,we want you to
know that during the last U.N. meetings held at Abuja, Nigeria, it was
alarming on the money lost by various individuals to the scams artists
operating in syndicates all over the world today.

In other to compensate victims, the UNITED NATIONS Body is now paying 150
victims $150,000 USD each in accordance with the UNITED NATIONS
recommendations. Due to the corrupt and inefficient Banking Systems in
Nigeria, the payments are to be paid by Central Bank Nigeria as
corresponding paying bank under funding assistance by the governments of USA
, CANADA and BRITAIN.

Any benefactor of this compensation award will have to be first cleared and
recommended for payment by UNION BANK PLC. According to the number of
applicants at hand, 114 Beneficiaries has been paid, over a half of the
victims are from the United States, we still have an outstanding of 36 scam
victims left to be paid. Other victims who have not been contacted can
submit their application as well for scrutiny and possible consideration.

We shall feed you with further modalities as soon as we get response from
you on how you intend receiving your compensation payment. Send a copy of
your response and payment code to our remittance officer:

NAME: Mr Steven Ade
SCAMMED VICTIMS /REF/PAYMENTS CODE:
UNB/06654 $150,000 USD.
PHONE NUMBER:+234-808-454-0643
EMAIL:unionbankplc.ng231@yahoo.ca

Yours Faithfully,

Mrs. May Udoh

Cybercrime in emerging economies

One of the surprises from my trip to Costa Rica has been the prevalence in the media of stories regarding internet fraud, phishing and other hacking attacks. Back in August the police arrested 16 individuals involved in identity theft in order to remove ¢800 million CRC (about $1.6 million USD) from bank accounts.

The relative unfamiliarity with new technologies, coupled with some insecure institutional practices and balances, have meant that cybercrime has become a profitable exercise in Costa Rica. In the UK, users are covered by all sorts of consumer protection at national and European level, but here users run with all of the risks from fraud. With better systems in place, it would be possible to weed out a lot of the most basic attacks, but identity checking is seriously lacking. It seems unfair that users should bear the brunt of the liability for online fraud.

Things are changing however. The national press has been educating readers about phishing and other scams, and some banks have started implementing better checks, or imposing caps on online transactions per day. Scotiabank has even gone as far as to issue consumers with a password generating keyring, a device that randomly generates a new passcode every 60 minutes or so, and which is synchronised with the account (this would however, leave the user vulnerable to mugging, but I digress).

The law has also been changed, there is now a criminal offence against internet fraud which carries a maximum 10 years.

I guess that bridging the digital divide means that the number of potential cyber-victims increases, and the law should change accordingly.

Another academic scam

I've just received a second academic scam. My comments in green:

From: un.academicawards@katamail.com [this would be more convincing if it was masked as a UN addres]

UNITED NATIONS UNIVERSITY AWARDS COORDINATOR [actually, there is such thing as the UN University!]
BRENT ADAMS (UNITED NATIONS EDUCATIONAL GRANTS)
UNIVERSITY STAFF AND UNDERGRADUATE AWARD DEPT
REF NO: 05/0029-UNG/0901-03
BATCH NO: 11-4120/UNG/0307
SERIAL NO: AA01/07/003/UNEG

ATTN: WINNER/RECIPIENT.

RE: 3rd Annual University Staff And Students Award.

This is to notify you that you have emerged as one of the recipients of the 3rd Annual University Staff And Students Award Grants of the UNITED NATIONS EDUCATIONAL GRANTS for this year. [Me? I won? Wow!]

Your University email address, picked from your school website and attached to ticket number [I still like the idea of allocating grants this way, saves you filling hateful applications]: 003-0155107-07 with serial number.: AA01/07/003/UNEG which drew the numbers: 10-01-44-86-23 [numbers make it sound soooo official, I'm impressed] which emerged as the 4Th place winning numbers in category "A" amongst other ten email addresses selected from the best 200 Universities worldwide [Nice, Edinburgh Uni is now one of the top 20 universities in the world. We rock!]. Your Award Fund/prize is $500,000.00 (FIVE HUNDRED THOUSAND US DOLLARS) [wait a second, the other email I received offered me £500k GBP! The dollar is not worth much these days in case you haven't heard] which is credited in cash to file with REF:05/1128-ISA/0001-1.

There are a total of 30 winners in this year's award draw who won under categories "A", "B" and "C". All the winners/recipients of this award were selected through a computer ballot system drawn from the best 200 Universities worldwide [it's teh lottary!]. The award which is given annually since 2005 is promoted and sponsored by the UNITED NATIONS, eminent personalities like the Ovorangwen of Benin, The Sultan Of Brunei, Abdullah II Bin Al Hussein (The King of Jordan) and Bill & Melinda Gates are also donors to this year's award [yes, and I can shoot laser from my eyes].

This award is an initiative towards the development and enhancement of global education, the assistance of the less privileged university undergraduates, the appreciation and compensation of hardworking university staff across the world and the encouragement of the use of internet. [of course I deserve this money! I'm hardworking less privileged university staff that encourages the use of internets.]

Your award fund is deposited with our designated paying bank with your ticket number and serial number. You are warned to keep this award information strictly confidential until your award has been processed and your fund remitted to your account to avoid double claim [or perhaps to.... *gasp* allow the fraud to run its course?]. Please be informed that your above award fund has been insured under insurance fund policy which assures you that you will receive your award fund complete without any deduction from the fund for security reasons [that does not make any sense, but it sure makes it sound official]. There are accredited agents in charge of the claims of the awards in the 3 respective categories who are located in Africa, Asia and Australia [why Australia? There's nothing down there but dingoes and poisonous critters]. You are advised to contact the agent in charge of your category (A) with the necessary information as given below to enable him process the claim of your award fund. Below are the information you are required to email to your agent:

1. Name in full
2. Country of Origin
3. Name of University
4. Contact Address
5. Age
6. Sex
7. Occupation
8. Phone/Fax
9. Batch Number
10. Serial Number
11. Reference Number
12. Amount Won
[Now we're getting somewhere, you want my bank details, together with all sorts of information that will make it easy for them to get all of my money out of my account, right?]

The above listed information are to be emailed to our accredited agent in charge of category "A" award claims with his contact information as provided below:

Name : Rev. Jim Edwards [Reverend? Ah yes, play the religious card. Men of the cloth are intrinsically reliable, right?]
Email: jimedwards2020@yahoo.com [Hint for future scams: Yahoo accounts are bad idea]
jimedwards2121@hotmail.com [Hint for future scams: Look at the above hint, but replace Yahoo with Hotmail.]
Phone: 011-234-703-045-4042 [Allow me to get a list of World's calling country codes. +234 is Nigeria. Colour me surprised!]

CALL HIM FOR MORE DIRECTIVES IMMEDIATELY AFTER YOU EMAIL YOUR INFORMATION TO HIM. DIAL PLUS (+) IN PLACE OF (011-) IF YOU ARE CALLING HIM FROM ANYWHERE OUTSIDE U.S.A.

WARNING!!! [Danger! Danger! Your caps key is stuck!]

(1) YOU MAY RECEIVE THIS NOTIFICATION MORE THAN ONCE AS THIS ORGANIZATION RE-SENDS THIS NOTIFICATION TO THE AWARD RECIPIENTS IN MOST CASES UNTIL EVERY RECIPIENT HAS CLAIMED HIS OR HER PRIZE. ANY OTHER NOTIFICATION OF THIS NATURE RECEIVED BY ANY WINNER BEARING ANOTHER TRADE MARK OR CONTACT INFORMATION SHOULD BE IGNORED OR FORWARDED TO YOUR CLAIMS AGENT IMMEDIATELY, THIS HELPS US TO FIGHT THE ACTIVITIES OF IMPOSTORS. [Translation: we send this to several people, so you may receive it again, which is not an indication of a fraudulent transaction.]

(2) SUBMISSION OR PROVISION OF WRONG INFORMATION TO YOUR AGENT LEADS TO IMMEDIATE DISQUALIFICATION AND CANCELLATION OF YOUR AWARD. [Translation: Don't play with us.]

Congratulations!!!

Sincerely,
Brent Adams
University Awards Coordinator,
United Nations Educational Grants.

Research grants: the new identity fraud scam

We have all become used to identity fraud scams coming from the daughter of the late Prime Minister of Burkina Faso; or lottery winning addresses for the UK National Lottery mysteriously coming from Yahoo Hong Kong addresses. I have just received a first, which I thought I would share with you. This is, to my knowledge, the first scam directed towards academics that I have ever seen. My comments in red:

SUBJECT: GRANT AWARD DONATION!! [Multiple exclamation marks are a sure sign of a deceased mind]
FROM: ukfoundation@award.com [what, no .org.uk or .ac.uk domain?]
REPLY TO: claimsofficeruk@uk2.net [and even stranger, the reply-to address is different, and from a cheap ISP. I'm getting suspicious now]

THE UK FOUNDATION FOR BASIC RESEARCH. [I'm going to ignore the fact that such body does not exist] [ ]

The Uk Foundation for basic research would like to notify you that you have been chosen by the board of trustees as one of the final recipients of a cash Grant/Donation for your own personal, educational, and business development [aren't I the lucky one?].The Uk Foundation for basic research was conceived with the objective of human growth, educational and scientific research, with a mind also for Community development. [you forgot to mention World Peace]

In conjunction with the ECOWAS [the Economic Community Of West African States? I'm starting to guess where this is coming from] ,UNO and the EU We are To celebrate the 30th anniversary program, We are giving out a yearly donation of £500,000.00 (five hundred thousand pounds sterling) each to 100 lucky recipients. These specific Donations/Grants will be awarded to 100 lucky international recipients worldwide; in different categories for their personal business development and enhancement of their educational plans. This is a yearly program, which is a measure of universal development strategy.

Based on the random selection exercise of internet websites and millions of supermarket cash invoices worldwide [wait, research grants given on the basis of supermarket cash receipts? Well, there's an idea for the UK research councils!], you were selected among the lucky recipients to receive the award sum of ( £500,000.00 ) Five hundred thousand dollars as charity donations/aid from the Uk Foundation, ECOWAS, EU and the UNO in accordance with the enabling act of Parliament [I'm guessing that telling us which Act of Parliament is out of the question?]. (Note that all beneficiaries email addresses were selected randomly from over 100,000 internet websites or a shop'scash invoice around your area in which you might have purchased something from).

You are required to contact the Claims Processing Manager below, for qualification documentation and processing of your claims. Please endeavor to quote your Qualification numbers (N-222-6647, E-910-56), REF Number: SW/90/0021/7896/56 BATCH No: 34/0065/KJY in all discussions [meaningless yet official-looking numbers make everything look better].

Executive Sec. MR. George Jackson.
Claims Processing Manager
TEL: +4470 1114 6946
FAX: +4470 9287 1710
Email: claimsofficer07@merseymail.com
Email: claimsofficeruk@uk2.net

NOTE:THE FOLLOWING DETAILS ARE NEEDED FROM YOU AS TO ENABLE YOUR DONATION FUNDS RELEASE !
1. Full Names:
2. Residential Address:
3. Direct Phone No:
4. Fax Number:
5. Email address:
6. Qualification numbers:
7. Sex:
8. Nationality:
9. Occupation:
10.Age:

[Now we're getting somewhere! They want my personal details... I smell identity fraud down the line].

Finally, all funds should be claimed by their respective beneficiaries,no later than 20 days after notification. Failure to do so will mean cancellation of that beneficiary and its donation will then be reserved for next years recipients.

On behalf of the Board kindly, accept our warmest congratulations [the comma should go after Board].

In your best interest to avoid mix up of numbers and names of any kind, we request that you keep the entire details of your award strictly from public notice until the process of transferring your claims has been completed, and your funds remitted to your account [Oops, does that mean that I won't be getting my research grant? Say it isn't so!]. This is part of our security protocol to avoid double claiming or unscrupulous acts by participants/nonparticipants of this program [unscrupulous people trying to take advantage of others? Whoever heard of such a thing?].

Sincerely Yours,

MRS.MARRY JACK.
THE PROMOTION COORDINATOR, [Note to future frauds: choosing a believable name would make your scam more effective. Mary Jackson would be a better option].