The Coming Internet Sting: Counterfeit Ecommerce Sites
Fake e-commerce sites may be the next "big thing" for criminal and fraudulent actvity on the net.
The multitude of high profile virus outbreaks that have occurred since the "Big Bang" of Melissa over a year ago seem to prove that either users are not getting any more careful or that virus authors are getting even better at promoting their "warez." While these viruses undeniably cause tremendous financial damage in terms of lost productivity and downtime, there has not been any monetary benefit to any sort of criminal group. These have been widespread acts of vandalism.
The major spate of distributed denial of service attacks in February 2000 also demonstrated the ability of a small group or even a single person to control significant portions of Internet traffic for the purpose of creating havoc and nothing else. What seems inevitable is for more profit-oriented hackers to enter the fray, and combine the inherent weaknesses in both the Internet infrastructure and the people that use it to find lightning-quick swindling opportunities.
A likely candidate vulnerability that we have already seen a few examples of is the Counterfeit Ecommerce Site Scam.
|"If you are a bad guy, you can try to break into a bank or an ecommerce site via the Net ... [but] from the criminal's perspective, there is always the risk of tripping an intrusion detection system's "silent alarm.""|
Of course, several types of criminal and fraudulent activities have been taking place since the commercialization of the Internet began taking place several years ago. If you are a bad guy, you can try to break into a bank or an ecommerce site via the Net, looking for a database of credit card numbers or savings accounts, or if you are extremely lucky (or good), you can gain access to an internal host program to authorize transactions, transfers, etc. These will always be good targets - that's where the money is, and even though these businesses will continually strengthen their defenses, there will always be weaknesses to exploit.
However, from the criminal's perspective, there is always the risk of tripping an intrusion detection system's "silent alarm," and the time it takes to successfully "crack" a site may leave a large amount of incriminating log file data for a forensics expert to use in tracking the perpetrator down.
Another common Internet scheme is to simply set up a fraudulent Web site. Maybe the site purports to be a legitimate ecommerce site, taking orders from naïve consumers for widgets that will never be delivered. Or perhaps it is some sort of a pyramid scheme, appealing to a person's own greed as a way to separate them from their cash.
These are scams that will have a longevity that matches the number of gullible users out there. They will always be with us, but from the criminal's perspective there are downsides - the longer the duration with which the site is operational and promoted will increase the returns, but also the risk of being caught.
It is really pretty natural for traditional criminal activities to find their way online in one way or another. Counterfeiting is one such activity that can take many forms on the Internet. Counterfeiting a popular Web site and finding ways to drive large volumes of traffic to it in a very short timeframe is a quite feasible method to embezzle huge sums of money in literally minutes. We have seen some attempts at this already, and awareness should be raised into understanding how to prevent or trace this type of activity.
First, the bad guy needs to pick a target Web site to counterfeit. The basic criterion is that the site should be some type of an ecommerce site where people are used to entering credit cards, passwords or similar information. The more popular the site is, the easier it will be to gain the user's trust in a cloned site. Popularity will also give the criminal more options for driving traffic to their "knockoff."