Network News

X My Profile
View More Activity

Retail Fraud Rates Plummeted the Night McColo Went Offline

One month after the shutdown of hosting provider McColo Corp., spam volumes are nearly back to the levels seen prior to the company's take down by its upstream Internet providers. But according to one noted fraud expert, spam wasn't the only thing that may have been routed through the Silicon Valley based host: New evidence found that retail fraud dropped significantly on the same day.

It is unclear whether the decrease in retail fraud is related to the McColo situation, but in speaking with Ori Eisen, founder of 41st Parameter, he said close to a quarter of a million dollars worth of fraudulent charges that his customers battle every day came to a halt.

Eisen, whose company provides anti-fraud consulting to a number of big retailers and banks, told me at least two of the largest retailers his company serves reported massive declines in fraud rates directly following McColo's termination.

"It stopped completely that night," Eisen said, referring to a drop in fraudulent activity linked to purchases of high-value merchandise with stolen credit and debit cards on Nov. 11, the day McColo was shut down. "Yet, it will come back after [the scammers] erect their new infrastructure."

Eisen's testimony suggests that a great many fraudsters may have been using McColo to funnel their Internet connections when attempting to purchase goods from retailer sites.

In a follow-up blog post about the casualties of the McColo disconnection, Security Fix called attention to a Web site called "fraudcrew.com," a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others. Fraudcrew.com was hosted on McColo's servers.

From that piece:

There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.

These masking services provide a software program that allows the user to pick from a drop down list of Internet addresses to proxy through. For example, if a user in Ukraine, has stolen the user name and password that Joe from St. Louis uses to access his bank online, that user can simply select a node in the proxy list that's in St. Louis, and the bank site will be none the wiser that the person logging in is not actually in St. Louis.

It is impossible to say whether the same individuals who were funneling their spam operations through McColo have moved elsewhere. For its part, Fraudcrew appears to have found a new host, a provider in Luxembourg.

Spam volumes have since risen almost to pre-McColo levels in the past month. Some of this resurgence has been sporadic, thanks in no small part to the efforts of FireEye, a Milpitas, Calif., based security startup, which has kept pressure on Internet service providers not to associate themselves with the spam gangs that have been trying to regain control over their herds of spam spewing zombie PCs. Interested readers can learn more about these efforts by visiting the always-interesting FireEye blog, at this link here.

By Brian Krebs  |  December 11, 2008; 6:31 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Court Freezes Assets of Alleged 'Scareware' Purveyors
Next: Who's Tracking You?

Comments

Spam and internet fraud are all wrapped up together, and they do nothing but cost everyone vast piles of real money.

It would be nice if law enforcement gave this a higher priority. I'd much rather see a spam czar than a lackey for the RIAA associated with internet policy.

The (we) CAN-SPAM Act needs revisiting, and the DMA needs to suck it up and deal with the restrictions needed to combat spam this time around.

I'd also like to see customer oriented ISP's act more responsibly than they are. Instead of using so-called "deep packet inspection" to analyze and violate customers privacy, wouldn't a more profitable use be to devote the same level of resources to finding and killing bots on their networks?

Even better use of common conventions for naming for customer domain name parts would do wonders. It's pretty easy to set it up so that mail from a machine that has a name part like 'cust' for customer, or 'res' for residential gets refused unless it's from an authenticated user. Yet everyone's got to be special about names, so this is way less of an effective tactic than it would seem.

Cleaning up the net is a fools venture, but it should be possible to put a dent in the widespread crime that has evolved.

Posted by: timscanlon | December 12, 2008 2:56 AM | Report abuse

I'd like to hear more about why the ISPs involved in the McColo shutdown had such an abrupt change of heart. I don't buy it that once they became aware of the problem they acted - we've all known for years that a big part of the problem was/is coming from within the US, and look at how easy it was to make a big hole in the problem once the ISPs got involved. I want to know why they had this sudden change of heart.

Posted by: crmurphy | December 12, 2008 10:20 AM | Report abuse

i like how the Russians dealt with one spammer. he was found shot!

Posted by: wawadave | December 12, 2008 11:26 AM | Report abuse

Why was there the change of heart?

Recession means they have to sweat the bandwidth they have. That means the balance between the cost of the legal hassle for removing troublesome bandwidth-hungry customers and the benefit of more revenue from premium customers has changed.

Congratulations to Brian Krebs on this exercise and the follow up.

have been cross referring to his articles from my UK blog - "When IT meets politics"

http://www.computerweekly.com/blogs/when-IT-meets-politics/

- and asking the same question.

Above is the best answer I have found yet -but it begs a lot of questions.

I hope you will be asking the members of the Internet Caucus when they have their advisory council meeting in January

Posted by: PhilipVirgo | December 12, 2008 1:22 PM | Report abuse

I've said it before and I'll say it again. Putting a cost of $0.01 on each email will stop spam. Bill Gates, I hear, says 1/10 of a cent is enough.
I have another proposal - make it a tax! The government not only supports the Internet infrastructure, it spends vast amounts of R&D and law enforcement money fighting Internet fraud, malware and spam. Make the perpetrators pay for it!

Posted by: jeh1 | December 12, 2008 3:08 PM | Report abuse

@Jeh -- Nice idea, but it wouldn't work. A lot of people like to put this suggestion forth as a solution to spam, but it shows a fundamental misunderstanding about how spam is sent.

Spam is almost always relayed through computers that the bad guys have compromised with viruses and trojans and worms and the like.

If we followed your idea, the people who would pay for that are the people whose computers are infected and are relaying the spam for the bad guys.

Can you imagine? Some grandma gets a bill for hundreds of dollars, all because some scammer hacked her machine after she opened an email attachment she thought was a photo from her grandkid.

Posted by: BTKrebs | December 12, 2008 5:14 PM | Report abuse

@BTKrebs, would that not cause users who are presently unconcerned about their computers being 'bots to shape up and become better at cleaning and maintaining them?

If Grannie's zombie spambot spews malware costing hundreds or thousands of dollars in damages why shouldn't she get a bill?

Posted by: bruce_mcculley | December 12, 2008 5:29 PM | Report abuse

This article demonstrates a clear connection between fraud losses and cybercrime.

That raises the obvious question about how much the financial crisis has been exacerbated by cybercrime? There are certainly structural issues in the mortgage area that combined with petro prices (manipulated?) to trigger the collapse, but how much has unrelated fraud been hidden and laundered in the resulting muddy waters? Not just pure cyber fraud, but also identity compromise as an enabler or facilitator?

Posted by: bruce_mcculley | December 12, 2008 5:31 PM | Report abuse

A tax works for me. Grandma's bill can always be adjusted, but the scammers would have to move on after a month or so. Hard to stop them, but they would be slowed down considerably. Besides, the government needs the money and we could sure use more paid cyber cops checking internet fraud. As it is, no one really checks. Also, I would make it possible that big companies that facilitate internet fraud would have to pay. Example, someone used my name to apply for a car with AIG auto insurance. Fortunately, the car seller called to check. AIG, on the other hand, never took any action even though I wrote them many times. They do not have internal controls since I have insurance with AIG. They only cared about selling insurance more insurance, not cleaning up criminals that use their system. Like I said, someone has got to pay for better enforcement of the cyber world, and that someone has got to be the users. We pay for highways with taxes, this is no different.

Posted by: cayoung144 | December 12, 2008 7:28 PM | Report abuse

A tax to ease spam and and provide restitution for the victims sounds really good except one small problem. The entity responsible for collecting the money and assisting the victim. The same bunch that currently brings us well run customer friendly IRS and will be soon bringing us a Health Care run by political whim. A better idea would be a private not for profit association of ISPs, merchant processors and financial institutions where a portion of funds paid by web advertisers and merchants is collected into a fund used for fraud research,detection and restitution of victims. This would ease some of the pain currently felt by processors and financial institutions and get the ISPs involved at a meaningful level while keeping the control freaks and idiots in Washington out of the mix. And before you suggest yet one more law that we just have to pass - remember fraud and theft are already illegal.

Posted by: simillus2 | December 12, 2008 8:51 PM | Report abuse

I love how some people *cough*jeh1*cough* thinks the solution is to make email cost money.

Whatever the merits of that are, how would he propose doing that? It betrays complete ignorance how the internet works.

It's not like there's a central authority for email. People would simply ignore it.

Seriously man, go read a book or something. You're embarrassing yourself.

Posted by: Ombudsman1 | December 12, 2008 10:33 PM | Report abuse

Ombudsman1 - RIGHT ON!
This is why most of the laws we do have are more HARM than help, if of any import at all...
Idiots who know nothing about the subject listen to a**holes called lobbyists with money to burn and bias to promote. The machine gets greased and we get a bunch of cr*p worth less than the paper on which its written.
If we want to *REALLY* stop this, let's stop the greedy and lax bums that say a new internet is too expensive and renovate the foundations that were never meant for this kind of use in the first place. Let's rebuild the dirt roads of ARPANet with superhighways (unfortunately, this may mean tolls too, but...).
*THAT* would be more akin to how we got our highways than some bullsh*i tax that will get raided to bail out wall street or the Detroit Big 3 idiots, or letting unsuspecting grannies get bilked b/c BILL GATES and company are too LAZY and GREEDY to stop releasing alphas as finished products (there ya' go - let the companies that make this exploitable cr*p pay the tax!) or yet another useless law!!!

Posted by: ExchangeSux | December 13, 2008 11:53 AM | Report abuse

the idea of taxing email has some points.

however, taxing impossible to catch and charge spammers is . . . unworkable at best and has been mentioned, likely to hurt those already being abused.

charging the alluded to "grannie" for her computer being used as a node in a spamming scheme ignores the reality of the computer world.

for nerds, it seems simple. just install and maintain the software. for those not so comptuer literate (granny et al) it is absurd.

granny can probably bake circles around all of us. yet we don't have to pay a tax to buy bread.

a more "opt-in" if you will system run by the u.s. postal system would allow those willing to pay a reasonable fee for postal service email protection of a guaranteed account the ability to have a secure email while generating fees to the government to cover the cost of policing.

since it would ideally be a voluntary choice made by subscribers, with clearly delineated policies, it would not infringe on internet freedom, nor would it be an intrsion of gov't on personal freedom.

there would be no requirement to join, anyone could (and most probably would) have the secure connection, while maintaining seperate accounts wherever they currently do for pure social contacts.

as an additional benefit, your usps account could be a lifetime account.

certainly, there would be points to consider, and work out. (such as a "do not spam" list) but it COULD be the basis for secure email, gov't backed and penalized, without surrendering other internet/communication freedoms.

bottom line for me is, i like my freedom to use the net, within reason, as i choose. but i would certainly take advantage of a properly secured email addy for communications (bank/business etc) that i felt needed to have at least the security i can get from snail mail.

and for granny, who still buys reams of stamps at the post office, it would be a clean solution to allow her protection and security with the conveinence of the net.

bill salmon

Posted by: billsalmon4 | December 13, 2008 2:12 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company