Online Scams Becoming More Sophisticated
The electronic mail message recently sent to America Online subscribers looked official enough. Titled “Important AOL information” and bearing the signature of the company’s Member Services department, the message provided an update of the online computer service’s efforts to fix its busy-signal problem.
At the end of the note, subscribers were asked to jump to a World Wide Web page--which featured a letter from AOL Chairman Steve Case--where they were asked to enter their name and address, as well as their home phone and credit card numbers to update AOL’s new computers.
But what unsuspecting subscribers really were updating, officials say, were the files of a cyberthief trying to commit credit card fraud.
That scam, perpetrated earlier this month, is the latest in a series of increasingly bold and sophisticated online ploys to wrest personal information from AOL subscribers and Internet users in general. Although law enforcement officials say they have no way to tally the cost of such crimes, industry specialists estimate it is costing consumers millions of dollars a year.
“This is a serious problem that’s growing exponentially,” said Richard Power, an analyst with the San Francisco-based Computer Security Institute. “Criminals are becoming ever more clever at manipulating people in the online world.”
Con artists have long used phones, the mail and face-to-face pitches to wheedle personal information out of people. E-mail, however, represents a new and potentially easier medium to commit such crimes, according to industry observers and law enforcement officials.
“It’s relatively easy for fraud artists to look like legitimate companies,” said David Medine, associate director for credit practices at the Federal Trade Commission, which investigates e-mail fraud. “That’s one of the problems inherent in the technology.”
With e-mail, Power said, “you don’t have to worry about masking your voice or putting on a disguise.”
AOL subscribers have been barraged with several messages in recent months that aim to swipe their credit card numbers. Among the tactics have been offers for free time on the service and a request to reenter billing information to confirm a new payment plan, company officials said.
AOL isn’t alone. Such scams recently have been tried on subscribers to other online services and on people who have direct connections to the Internet, industry analysts said.
Yet Dulles, Va.-based AOL has been especially attractive to those seeking to commit fraud because of its size--it has more than 8.5 million subscribers--and the fact that many of its customers are online neophytes.
“By virtue of the fact AOL is the largest online service, it provides the largest pool of potential victims,” said Tatiana Gau, the company’s vice president of integrity assurance.
AOL officials say they investigate reports of credit card fraud and report incidents to law enforcement agencies. In the case of the most recent scam, the company said it was alerted to the message by subscribers and its own employees the day the message was sent and had the Web site that was collecting subscribers’ information shut down later that day.
Gau said all the credit card scams are under investigation by the company and law enforcement authorities.
“They are all ongoing investigations,” Gau said. “There has been no conclusion of the cases at this juncture.”
But the firm says it can do little to squelch the scams other than alert subscribers not to provide personal financial information online. “It’s something we’re constantly warning our members about,” spokeswoman Tricia Primrose said.
The come-ons, however, can be remarkably smooth. The message sent to AOL subscribers earlier this month sounded much like AOL’s recent television spots and official correspondence with customers: “As you know, the No. 1 priority for all of us at America Online continues to be meeting our obligation to provide you with the best possible service.” The note went on to mention “the development of a new server which offers a higher system capacity.”
The note then asked the reader to click on a highlighted section of text to “read in depth about the steps we have taken” and to “complete the required update of your information on our new servers.” Clicking on the text sent users to a Web site outside the AOL service, where they were asked to type in their personal information.
Gau said it appears the site was maintained by at least three different computers across the country, but she declined to release additional information pending the company’s investigation.
According to a publicly searchable directory of Web sites, the address contained in the message is maintained by an Internet access provider in Germany. Gau, however, said the company’s investigation has not yet revealed a connection to an overseas Web site and suggested that the perpetrator may have forged parts of the address.
In addition to the credit card scams, many AOL users also have been sent e-mail recently by con artists trying to get their system passwords. The messages offer such things as a free pornographic picture or a piece of software that will boost a computer’s performance. To get the gift, the user must open a file that is attached to the message. When the file is opened, however, it starts a program that surreptitiously collects the subscriber’s account name and password--and sends it back to the hacker who sent the message.
Such “Trojan Horse” programs also are frequently sent to Internet users and subscribers of other online services. Computer security experts warn users not to open attached files unless they know the person who sent the message.
“People need to be as skeptical in the online world as they are in the off-line world,” Medine said. “Just because it’s coming over a computer and it’s got a nice-looking electronic image, that doesn’t mean it’s official.”
