Software

Reporting online crime: What to do when you're the victim

Online fraud shouldn't happen, but it does. And when it does, how should one report the crime, and to whom? Michael Kassner would like to share what he's learned.

A friend from my creative-writing group called me completely distraught, "I've been phished." Ever the stoic, I asked, "How do you know this?" "I checked, and my bank didn't send the email message asking me to reenter my security answer and password." "And?" I had an idea what was next, but still asked. "It looked real," she argued, "So I did what the email said."

Now, I shifted to my "I told you to never do that" mode, and reminded her. "Great, Michael," she snapped, "Great advice, what do you suggest I do now?" Then there was a pause -- a long pause. "Well..."

What should you do?

Quite simply, I was caught off guard. I knew well enough to have her call the bank. But that was all I was sure of -- not good. Not wanting that to happen again, I immediately started looking for information.

After a bit, I came across Bob Burls, a UK-based security consultant who specializes in Computer Incident Response. Over the past several months, he has written a "How to" series about reporting computer crime for NakedSecurity. And he's done a great job. What I'd like to do is summarize what he's found.

Types of crime

Burls looked at the following attacks, and why they're considered crimes:

  • Unauthorized email access: Unauthorized access to an email account.
  • Malware by email: An unauthorized act is performed unknowingly on an individual's computer.
  • SQL injection website attackAn attacker first identifies if a web server of interest is vulnerable to SQL injection. If it is, the attacker then applies SQL injection after which, the attacker has control of the server.
  • Phishing attack: The criminal deliberately misleads a victim using imitation websites and emails, in order to obtain sensitive information (person's identity) in order to sell it or personally exploit it.
  • Trolling: An attacker commits a crime by using the Internet to send messages to threaten, abuse, or harass the victim with the intent of causing alarm, distress, and or anxiety.
  • Fake antivirus: Two primary offenses take place, unauthorized modification of the victim's computer, and using false representation to mislead the victim.

Laws covering the crimes

Burls is most familiar with British law, but he provided information on what laws apply to the above crimes in the UK, USA, Canada, and Australia:

Reporting the crime

Next, Burls gets to the part I'm interested in -- reporting the crime. Again, Burls describes what works in each of the four countries:

  • UK: In the UK, when a crime occurs, it should be reported to the police after which, it is investigated by the police. If the crime is serious enough, it may be referred to the Police Central e-Crime Unit.
  • USA: The Department of Justice website contains a contact page for reporting incidents to local, state, or federal law enforcement agencies. Having looked at the webpage is seems most computer crimes are reported to local offices of:
    • The Federal Bureau of Investigation
    • The United States Secret Service
  • Canada: The Royal Canadian Mounted Police is the main agency when it comes to investigating federal statutes, so it is best to start with them.
  • Australia: The Australian Federal Police website provides advice on whether the Australian State or Territory Police should be contacted.

In the mean time

There are many suggestions about what you should do with the computer if you intend to contact a law-enforcement agency regarding a possible crime. After interviewing Eric Huber, a highly regarded digital forensics expert, I'd do very little. Eric pointed out we tend to mess up the evidence or break the chain of custody.

Final thoughts

Whether you report the computer crime or not is ultimately up to you. I would like to present something Mr. Burls mentioned, and I had not considered:

In general, it's important all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up, and an accurate picture of the levels of computer crime can be produced.

It seems, law enforcement agencies have not yet figured out how to read our minds.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

14 comments
vadodsantos
vadodsantos

I used to buy VISA virtual cards on card444.com. Years ago they contact me if I wanted to invest in a program to earn interests beyond the money invested. I sent them US$ 3.000 via Western Union. On the first months when I asked about the interests earned so far and to reinvest, they replied. About a year ago I asked them for the money back and they never replied again. Even if they kept the investment and gave me only my money back. Despite several emails sent, I never heard from them again. I only have the emails exchanged in the beginning as proof. Could I also file a complain somewhere ? Thanks.

arunostwal
arunostwal

Any suggestion for when you are cheated by an online seller, who takes the money but doesnt deliver the goods.

eaglewolf
eaglewolf

Basics: 1- Don't use the same username/password for more than one account. This means don't use the same u/p for eBay and PayPal. Guaranteed both are checked. 2- Learn what constitutes a 'strong' password and if yours (multiple) don't fit that convention, change them. 3- Never 'save' passwords on login screens - even on your home computer. 4- Don't use unsecured wi-fi (sorry, Starbucks. Get a mobile hotspot). 5- Delete unsolicited e-mail .. *unopened.* 6- If you can't resist opening the message, DO NOT download any attachments, click any links, or open any files. Current phishing scams often contain redirectors/iframes to sites distributing trojans. The current distribution of trojans exploit every vulnerability it can detect. 7- If you are expecting something like a UPS shipment and you get an e-mail saying there's 'a problem,' STOP THERE. *Call* UPS and ask them to verify. The same holds true with your bank, department store, entertainment venue, Facebook, Twitter, any other social networking. Anyplace you log in can be phished - stop, don't panic, don't click/open anything .. call to verify. If you are 'phished:' 1- Even if it's just an username/password scam, consider ALL your information compromised. 1a - start a FULL virus scan of your computer. 2- Get your credit card - turn it over - and call the 'lost/stolen' number on the back. Advise you are the victim of ID theft. Ask if there has been any activity on the card(s) and, if so, ask that they retain that information for the police report. Get a new card. 3- Call the three Credit Bureaus (Experian, Equifax, TransUnion) and place a 'fraud watch' on your account. This is for 90 days and is renewable. 4- File a police report with your local jurisdiction and make sure you get a case number. This sets the date/time of the incident to protect you from abuse of your information. 5- Notify your bank and have them put a watch on all your accounts. If the phish asked for checking account number(s), bank routing number(s), have the bank cancel those accounts and reissue them. A recommendation to consider: don't have roll-over type overdraft protection. If your first account is cleaned out and that protection is in effect, it can simply roll over to the next account(s). 6- Now comes the real 'pain in the ***' - don't forget to notify any accounts that are auto-deducted from the credit card you just canceled. Additional: 1- Monitor your credit report. You are entitled to one free one per year .. but .. there are three bureaus. Space out your calls - every 4 months, call one of them. You'll get three reports per year. Check with your bank, too. Mine offers, for an extremely reasonable price, the option to check all three bureaus any time you want. And the report is extremely complete. 2- Don't use a debit card for remote or online purchases. While you can recover your funds on a debit card, the money is immediately gone from your account and takes longer with more hassle to recover. There are other hints, too, but your best defense is awareness and thinking 'what if?' Be creative!

HAL 9000
HAL 9000

If nothing else it Establishes a Trend but sometimes it will lead to a Investigation which will result in lost funds being returned when there are sufficient people reporting the incident. One person making a report may not lead to any action but a Million people reporting the same thing will most likely force the hand of the Authorities into doing something. Recently in AU there have been 2 cases of the Feds investigating and coming to some sort of conclusion about this type of Fraud. The First was the people ringing up pretending to be Microsoft and telling people that their computers where infected and getting the victims to allow them to remote in and infect the systems while at the same time charging them And the second was the Feds organizing the Arrest of 17 people in Romania over Credit Card Fraud where the crims had broken into Retailers Systems and where stealing Credit Card Details as sales where being made. Neither of those cases would have resulted in a prosecution if there had not been a large number of people complaining. When there is a large number of people adversely affected it is more likely that the Authorities will do something as the expense is now justified where as investigation because 10 people have complained can not justify the costs of the investigation. Col

mjh2901
mjh2901

Even though you have been fished or hacked, unless it is someone local (say an ex spouse screwing with you) the people who prosecute crimes locally don't really care, they have knife wielding killers to put behind bars. If it is someone local you need to file a police report with your local police department, as this goes down the ID theft road and if something happens to a bank account you need that report for filing paperwork and getting money bank from illegal withdrawls. Reporting it to the department of justice is a good thing, they will probably take no action, but it all gets databased and reported your info adds to the "This is a real problem" report. In the end these are mostly crime rings located offshore. Now what to actually do. First get a clean computer, if yours is compromised then it probably needs to be formatted and have windows re-installed. While this is happening see if you can get a friends laptop for a little while (make sure it is also not compromised and use private browsing or incognito mode and Start changing your passwords. Start with your email accounts and move on to your bank accounts. I would probably stop there, as its just not worth the time to go change every password on every site you use.

JCitizen
JCitizen

will be ignored by the FBI local office or you could have called them. I filed my complaint with the FBI site for such things, so they could at least gather data for eventual prosecution of such criminals. I've since read on Kreb's On Security, and other sites that these data bases have actually helped them prosecute these crooks once they are caught. I would have filed it with the DOJ also, had I been aware of this page link.

Michael Kassner
Michael Kassner

If you have collaboration and it was across state lines (US?), I would start with the FBI.

Michael Kassner
Michael Kassner

Using Google Translate, I was able to make most of the websites out. They are informative and I appreciate you pointing them out.

JCitizen
JCitizen

I, like a dummy, was using a debit card with that company. Fortunately I saw the charge for $19.20 for web hosting service and reported it to the bank within the 48 hour limit for me to get my money back. Now it was a cheap lesson, but it taught me a lot - especially how to gather information for the form over a DOJ ( or was it the FBI?) If I hadn't copied the bank entry into a search engine, I probably would never have caught the scam; I'm sure the guy was buying three months command and control space on this nefarious site so he could run his bot net herding operation. I imagine they only needed that small window of time, because they are constantly switching between hosting services, and keep a stash of alternate sites ready to obfuscate their CAC servers from authorities. That same vendor was bought out and has had great difficulty with their business (I wonder why? :O ), so now they can only take phone orders, and get the card number each time - no more auto ship from them! Oh well! I don't feel sorry for them - they should have taken care of INFOSEC so they. or more accurately, their customers, wouldn't have been hammered. I knew it was them that got compromised especially after I started using online secure cards with them, and they "conveniently" kept losing my card details. The crooks inside their organization never got another dime of my money. Too bad they are the only ones in the world that have what I need, or I would have dumped them long ago!! You might put on the list that there is also several agencies you can report bad sites to, so they can be put on blacklists for IT security personnel. These IP and hostnames will go into a data base for host files and such all over the world, and eventually get them kicked off Google searches too. I wished I could remember who that organization was, they were very thorough and asked me pertinent questions on why I thought the web site were a bunch of crooks. they said they'd list it because of the evidence of faux addresses I pointed out. I still owe Michael a debt of gratitude for turning me on to online secure credit cards!! Thanks Michael! :)

Michael Kassner
Michael Kassner

All good suggestions. Appreciate you taking the time to list them.

Michael Kassner
Michael Kassner

Much appreciated, as it solidified what Mr. Burls was saying.

JCitizen
JCitizen

We have had local successful prosecution for people who've "borrowed" a customers credit card number or data to make illegal purchases; but they have to be a local infraction for the police to stay interested. In my case it was a far flung crack job on an online vendor that resulted in the theft - I can't blame the local gendarmes for not knowing what to do it such cases, and actually they probably don't even have the legal basis to go outside their jurisdiction - so I don't expect them to do anything about cases like that, other than to take a report to backup the evidence gathering process. I certainly doesn't hurt to turn in a report to local law enforcement, and in some cases even the state attorney's general might want to gather crime data on such incidents. I know our state is very pro-active in this area, but your mileage may vary in yours.

Michael Kassner
Michael Kassner

Mr. Burls was hoping to get more people to report it, even if little can be done. An upward trend will eventually get their attention.