ORGANIZATIONS AND PERSONAL E-MAIL USERS are blocking and filtering millions of junk e-mails every day. However, this approach allows spammers to target vulnerable users who do not have filtering software or technical savvy. It also restricts our use of e-mail, because many networks no longer allow HTML content, images or file attachments.
Instead of blocking, filtering, quarantining and deleting junk mail, we need to adopt a more permanent solution, one that relies on dogged follow-up. Taking a more proactive approach to reporting spam and related e-fraud may be an effective way to finally deliver a knockout punch to this formidable nemesis.
We must start by realizing that we are dealing with more than just junk. A lot of spam consists of deliberate attempts to deceive and defraud.
Junk mailers have registered thousands of domains that look like authentic companies, but are actually fake sites that either harvest personal information or sell unlicensed products. Someone who is casually looking at these sites might think they are from legitimate enterprises, such as banks and credit card companies, since they often contain content that’s been lifted from the real sites.
Because spam is annoying to confront, we divert and delete it instead, and the scammers benefit from this apathy. Sites cannot be shut down if fraud e-mails are not reported, and fraud e-mails cannot be reported if they are deleted or blocked. The good news is that some fraudulent Web sites have been shut down when the e-mails were forwarded to the security administrators of the legitimate companies.
Law enforcement personnel have confirmed that e-fraud is increasing. “We are seeing more and more Internet fraud each year,” warns Anthony Cacciola, a police officer with the Cambridge Police Department in Cambridge Mass. “Many traditional crimes now have a technological or online aspect, and law enforcement needs to devote more resources to these issues.”
One type of scam, known as phishing, involves deceptive solicitations that request personal information, such as a Social Security number, date of birth, full name, and financial information such as a bank personal identification number or credit card and account numbers. “Some of these schemes will come to you through e-mails or instant messages that ask you to fill out an online form or that link or redirect you to a different Web site that has the same appearance, logos and log-on procedures as your bank,” explains Detective Lt. John McLean of the Medford Police Department in Medford, Mass.
“Many of the violators are in other states or overseas, and with the increasing number of phishing schemes being deployed, there has been a significant growth in online bank fraud, identity theft and other related financial crimes,” he continues. “The police do not have the resources, the time and often the jurisdiction to follow up on every online fraud or identity theft.”
Based on the increase in online fraud, it may seem as if we are dealing with an enormous army of spammers. Fortunately, that’s not the case. Recently, an antispam program called KnujOn was used to examine more than 10,000 junk e-mails from a sample of 300 e-mail users in a six-month period. Interestingly, fewer than 40 individuals or organizations were behind all the spam, and about 60 percent of the spam came from only 10 of those sources.
Until now, the antispam dialogue has focused largely on blocking or deleting the messages. Now we need to try a different strategy. We need to find out who is sending the spam and why. Here are some ways to start:
1. Educate your users and employees. Offer classes on how to spot e-fraud and where to report it. Teaching someone how to create a good password is easier than fixing your network after it has been compromised.
2. Start storing spam messages. Deleting spam only hides the problem. To prove a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (also known as CAN-SPAM), you will need the e-mails. The act requires that e-mail marketing include opt-out methods, that adult material be labeled as such in the subject line and that headers are not forged. You may file a complaint (form #3084-0047) at https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01.
This process can seem overwhelming. However, once you start looking at the e-mails, you’ll notice that many of them have very similar content.
3. Forward e-mails and report fraud. Forward obvious e-fraud to the security administrators of the companies being impersonated. Some of the biggest targets of e-fraud are PayPal, Amazon.com and eBay, and they have excellent procedures for handing e-fraud attempts against them and their customers. They also make reporting it easy.
You should also make online banks aware of fraudulent e-mails. All of your junk e-mails can also be forwarded to the Federal Trade Commission, which collects them.
4. Confer with other administrators. Since every network is facing the same problem, administrators should not fear exposing weaknesses or showing a lack of knowledge by discussing security problems with peers. Keep informed by talking about spam and e-fraud problems with other administrators, and join industry groups and online discussions.
5. Search the Web for hijacked content. Not only are junk mailers sending fraudulent e-mails that look like they are from legitimate companies, they are also setting up fake Web sites to impersonate banks, credit unions, online stores, travel agencies and anything else that might lure victims. These fake Web sites often use content right from the actual site, including logos and other organization graphics.
Conduct a search on the Web to find any unauthorized uses of your Web content. If you find sites that have used your content without permission, have your legal department issue them an official request to stop. If a Web site is actively attempting to defraud, contact law enforcement.
The number of e-fraud perpetrators is relatively small, and because many are violating rules and regulations, they are vulnerable to prosecution. So save samples of junk e-mail to be reported. Working with other administrators and exposing potential fraud will shine a spotlight on the online criminals.
The KnujOn Project is looking for participants in the fight against junk mail and e-fraud.
The KnujOn Project is dedicated to providing a solution to the ever-growing junk-mail problem that faces individuals and organizations. It offers a multitiered response to Internet threats and has already shut down hundreds of spammers. The cornerstone of the project is a policy-enforcement reporting and tracking tool that exposes the hidden world of e-fraud.
The KnujOn Project works by:
• Returning forged e-mail to the original sender
• Suspending and shutting down illegal sites
• Reporting attempted identity theft instantly
• Warning various entities of unauthorized content and logo use
• Enforcing Internet regulations
• Exposing spammers
• Tracking thousands of online scams
• Building profiles of fraudulent organizations
• Sharing information with financial institutions and law enforcement
The project’s initial phase focused on 10 mailboxes for six months. This resulted in over 1,200 shutdowns or suspensions of junk-mail-related Web sites. A second (beta) phase has started, and the program is currently looking for volunteer participants to monitor organizational networks and/or personal accounts. Participation is free, and there is no software to install.
Garth Olaf Bruen is the creator of KnujOn, a program used to combat e-fraud. He is a workflow developer and project manager for MassHousing, a Massachusetts affordable-housing finance agency.