Gene Fishel, assistant attorney general in the state of Virginias Attorney Generals office, works with businesses, IT professionals, citizens and law enforcement agencies to track down and prosecute computer criminals, in both state and federal courts.
And hes got some interesting stories to tell.
Fishel delivered the keynote address during Ziff Davis May 9 “Enterprise Applications Virtual Tradeshow,” where he provided some prime examples of computer crime, and what IT shops can do about it (report it to state and federal agencies).
Because two of the United States Internet powerhouses are headquartered in Virginia—AOL and MCI—Fishel said that about 80 percent of the traffic on the Internet passes through Virginia at some point.
This little-known fact is actually what provides the Virginia Attorney Generals office with jurisdiction over a good many criminal computer crimes.
“It allows us as a state to test computer crime laws before they go federal,” said Fishel.
“Spam is a good example of that. What we see is on the cutting edge of security threat—with e-mails asking for everything from free home mortgage to penny stock pickers to Shirley Temple memorabilia. Spam is flawed. It is insidious. Its become a great plague on the Internet.”
The Virginia Attorney Generals office was the first in the nation to criminalize spam with its anti-spam law (theres a federal law in place now modeled on Virginias efforts).
Spam, as any IT shop knows, doesnt just affect end users having to clear out their inboxes; it also affects businesses, Fishel said.
He gave the example of a Jeremy Jaemes, a spammer who by 2003 was “wreaking havoc on the world,” sending out 40 million to 50 million pieces of e-mail a day.
Fishels office traced Jaemes back through domain registrations, connectivity lines and credit cards.
When they indicted him, in late 2003, Jaemes had 16 T1 lines connected to the attic work room of a lovely rented house in a Raleigh, N.C., suburb, at a cost of about $45,000 a month to the local phone company.
But Jaemes was pulling in $20 million a month sending out spam.
“Ultimately what happened is he went to trial and a jury convicted him of computer trespassing and sentenced him to nine years in prison, which the judge upheld,” said Fishel.
“The case is on appeal, and [Jaemes] is on house arrest while he awaits the appellate process.”
Advances in Spamming
With spam legislation enacted at the federal level, many spammers are now moving their operations offshore.
Fishel identifies four main types of computer crimes: phishing (spam e-mail that poses as a legitimate company to request personal information from consumers); pharming (a collection of e-mail addresses that are used to commit identity theft); malicious viruses; and spyware that tracks users movements on the Internet to glean personal information, such as credit card numbers.
And there are always new threats looming.
“Whats occurred in the last couple months is a variation on phishing,” said Fishel.
“People are logging on to the real American Express site and a pop-up screen pops up that appears to be from American Express, asking for personal information.”
The scheme, dubbed Banking Trojans, is one that Fishels office hadnt seen before—and one that is particularly disturbing given that it occurs when a person is on a genuine Web site.
“[Phishing] used to be only in e-mail,” said Fishel. “Now its moved into the pop-up realm when youre on a legitimate site.”
Computer crimes are also moving onto another new threat: identity theft, one of the fastest growing crimes in the United States, according to Fishel.
“People use the Internet to purchase things,” he said. “That makes it easier for criminals to sit in Romania or China, access peoples information, and you will not ever know about it.”
Fishel said that every state has an identity theft law, and there are federal laws IT shops need to be aware of (if you or your business ever becomes a victim of identity theft, it needs to be reported to state and federal agencies).
At the same time, Congress has been active in responding to identity theft threats, as have businesses, but the best thing computer users (and administrators) can do is simply monitor their accounts.
“Be vigilant,” said Fishel. “Watch for unusual things, monitor your accounts, report something as soon as it happens.”
He also warned that with database breaches a lot of businesses are subject to civil liability—the consequences of storing personal information.
Fishel said the Virginia Attorney Generals office, headquartered in Richmond, has put its highest priority on stamping out child exploitation on the Internet.
His plea to IT professionals: If you discover employees surfing child pornography sites, or get it in spam, report it to the National Center for Mission and Exploited Children, to your states Attorney Generals office, to local law enforcement.
“Child pornography is the scourge of the Internet,” said Fishel. “Its our highest priority to stamp it out.”