unearthing and dissecting internet fraud
DESCRIPTION
TRANSCRIPT
Unearthing and Dissecting Internet Fraud
Michael Krieger• Michael Krieger has practiced high technology business and
intellectual property law for more than 20 years. His practice focuses on protecting and exploiting clients' patents and other key IP assets via a combination strategic counseling, litigation and preventive means as needed.
With degrees in mathematics (B.S., Caltech; Ph.D., UCLA) and law (UCLA), he was on the MIT Mathematics and UCLA Computer Science faculties and also a Fulbright Scholar prior to practicing law. This technical background led to early involvement with encryption, the domain name-trademark clash, and open source issues as well as IP litigation for content providers and patent holders. His clients have ranged from start-ups to industry leaders, including counseling in the tech transfer arena and for the United Nations and other international technology initiatives. He also serves as an expert in technology litigation.
“You will never catch up with the new technology.”
“I swear I wasn’t looking at smut – I was just stealing music.”
”I loved your E-mail, but I thought you’d be older.”
We all face increasingly challenging problems, arising
from . . . .
Spam
ever-more-ubiquitous technology sophistication,
”Just for kicks, Leon, let’s shut down the FBI again.”
Spam
to identity and privacy scams,
to overt criminality, some latent
“You know, you can do this just as easily online.”
“Big Tony’s website – get rid of it.”
… and others well-organized.
Introductions
David J. SteeleDavid J. Steele specializes in Internet law at Christie, Parker & Hale in Newport Beach. Mr. Steele also teaches Trademark and Internet Law at Loyola Law School.
An expert on Internet law and technology, Mr. Steele has successfully handled hundreds of Internet cases, typically for famous trademark owners.
Mr. Steele holds a B.S., Electrical and Computer Eng., CS Polytechnic University, Pomona, and a J.D. from Loyola Law School
Bennet KelleyBennet Kelley has been at the center of the legal and policy debates over many of today’s top internet issues, having provided legal advice, litigated, lobbied, testified and written commentaries on issues such as privacy, spam and spyware. Mr. Kelley currently serves as Assistant General Counsel and Director of Governmental Affairs & Privacy for ValueClick, Inc. and also is Co-Chair of the Legislative Subcommittee of the California State Bar’s Cyberspace Committee. In September, he will launch the Internet Law Center with offices in Santa Monica and Washington, D.C.
Mr. Kelley received a B.S. in Political Science from The American University in 1984 and J.D. from Georgetown University Law Center in 1990.
Part 1
The Problems
A Growing Problem
Internet Crime Complaint Center 2006 Internet Crime Report
• Referrals– 2001 - ≤ 50,000– 2006 – 207,492
• Dollar Loss– 2001 - $17.6MM– 2006 - $198.4 MM
• Top Mechanisms– Email - 73.9%– Websites 36.0%
Lions and Tigers and • Phishing• Spyware• Malware• Cybersquatters• Domain Tasters• Click Fraudsters• Counterfeiters • Rogue Vendors• ‘419 Scammers
OH MY!
Phishing
What is Phishing?– “Phishing attacks use both social engineering
and technical subterfuge to steal consumers’ personal identity data and/or financial account credentials.” Anti-Phishing Working Group
Common Types of Phishing
• Dragnet– Bulk E-mails to large groups of users
• no specific target pre-identified
• e.g., directing users to a falsified identification
• Rod-and-Reel– Targeted contact with pre-identified victim– e.g., lure to visit website
• Lobsterpot– Set trap and wait for victim– e.g., confusingly similar domain name
Dragnet Example
From: Customer Support [mailto:[email protected]]Sent: Thursday, October 07, 2004 7:53 PMTo: EiltsSubject: NOTE! Citibank account suspend in processDear Customer:Recently there have been a large number of cyber attacks pointing our database servers. In orderto safeguard your account, we require you to sign on immediately. This personal check is requested
of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information. This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension. Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand. Please use our secure counter server to indicate that you have signed on, please click the link bellow: http://211.158.34.249/citifi/. Note that we have no particular indications that your details have been compromised in any way. Thank you for your prompt attention to this matter and thank you for using Citibank(R)
Regards,Citibank(R) Card Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc
Lobstah Paht
SpywareA somewhat vague term generally referring to software that is secretly installed on a users computer and that monitors use of the computer in some way without the users' knowledge or consent.
Most spyware tries to get the user to view advertising and/or particular web pages. Some spyware also sends information about the user to another machine over the Internet.
Spyware is usually installed without a users' knowledge as part of the installation of other software, especially software such as music sharing software obtained via download.
- Matisse Glossary of Internet Terms
The WaresAdware• Software bundled with ad service
software• Notice & consent issues
Spyware• Gathers information on user
without knowledge– Email addresses– Passwords– Credit Card Information
• Keystroke Logging• Alters default settings
Malware• Software designed specifically to
damage or disrupt a system, such as a virus or a Trojan horse.
Rogueware and Scareware• Faux Anti-Spyware Programs or
legitimate programs that overstate threat by labeling benign applications as Spyware
Warez• Term used by software "pirates" to
describe software that has been stripped of its copy-protection and made available on the Internet for downloading..
Domain Name Fraud
• Cybersquattering
• Domain Name Tasting
• Other Domain Name Fraud
Domain Name “Tasting”
• Register and “taste” name for 5 days• Return domain names for full refund• Measure Traffic Through Pay Per Click Ads• Keep domain names that earn more than $6• Monetize domain names
– Misdirect customer – Get paid by advertisers (e.g., Google’ AdSense)
How Bad is the Problem?
• March 2005 – Nearly 43 million .com and net domain names registered.
• Only 2.5 million names were deleted that same month.
• In April of 2006, 35 million names registered.
• Of those names 32.7 million were used again and again but never registered permanently!
Other New Domain Name Abuses
• Domain Name Kiting – Registrars Taste, monetize domain names in
Bulk and delete them– then, using an automated process, they
automatically re-register them... again and again.
Other Domain Name Abuses (con’t)
• Domain Name Spying– Cybersquatters obtain information that a
domain name is of interest to a consumer• they most often purchase this information from
– whois websites– domain name registrars
– then register the domain name before the consumer can register them using an automated process
– offer to sell the domain name
Click Fraud• Generated manually or by
automated software.
– Primarily initiated by advertising competitors and CPC affiliates and traffic partners.
– Other reasons - revenge (disgruntled employee) and blackmail (exploit network limitations for profit)
• Click Fraud Network – Overall – 15.8% (Q2 -2007) – Search Engines – 25.% (Q2 -2007)
• Google– 10.0% total, but after filtering only 0.2%
is actually billed
– Released report in 2006 on “How Fictitious Clicks Occur in Third-Party Click Fraud Audit Reports”
Counterfeiting on the Internet• Accounts for 10% on online
commerce – approx $35BB– Beneficiaries include organized
crime, terrorist groups (Source: Intl Chamber of Commerce)
• US companies lose an average of 23 percent of potential sales due to trademark infringement and counterfeiting (Source: Intl Trademark Association)
• Tiffany’s found that 95% of its products sold on eBay were counterfeit or grey market goods
Protecting Your Brand
• 25% of Porn Sites use popular brand names (search engine magnets, metatags and links) (Source: Cyveillance)
• 32 million out of 35 million registered domain names appear fraudulent (Source: GoDaddy.com)
• 92 of top 100 brands used in third party search ads (Source NameProtect)
– 98% used actual brand name– 45% were directly competitive
Spam
Rogue Vendors
• Engaging in unauthorized conduct– Spam– Changing your creative content– Using your content for other purposes– Deceptive advertising
• Key word search• Email marketing• Banners
Let’s Not Forget . . .
Nigerian 419 Schemes• Pre-dates the Internet• At least 15 people killed• Losses in 2005
– US $720 MM
– Worldwide $31.8 BB
• Bankruptcies Caused By ‘419 Schemes (1996-2006)– US – 8,350
– Worldwide 13,087
Scam Dates Back to 1588• “It's an interesting setup, Mr. Ross. It is
the oldest confidence game on the books. The Spanish Prisoner... Fellow says, him and his sister, wealthy refugees, left a fortune in the Home Country, he got out, girl and the money stuck in Spain. Here is her most beautiful portrait. And he needs money to get her and the fortune out. Man who supplies the money gets the fortune and the girl. Oldest con in the world."
• From Wikipedia: The Spanish Prisoner is a confidence game dating back to 1588.
• FYI: If a sucker is truly born every minute – there would have been over 13.2 billion suckers born during this period.
Part 2
Prevention and Remedies
Prevention / RemediesDevelop a Plan
– Now … not then– Consider likely problems– Implement preventative measures– Detection / Monitoring tools– Action plan for problems– Remedies
Contractual Protections
• Strong anti-fraud provisions
• Restrict risky conduct by requiring prior approval
• Audit rights• Termination • Liquidated damages• Make sure vendors’
partners have made similar warranties
Protections for Consumers
• Inventory your wallet's contents
• Consider a credit-monitoring service: Equifax, Experian, TransUnion
• Order a free credit report every four months (AnnualCreditReport.com)
• Renew the 90-day fraud alerts placed on your credit reports.
Detection / Monitoring Tools• Search and Web Monitoring
– RSS– Technorati– MonitorThis– WatchThatPage– Google/Yahoo Search Feeds
• Private Services (mark watch & domain names)– MarkMonitor– Thompson & Thompson
Action Plan• Fact Gathering
– ensure you understand the problem
• Containment• Remediation
– disclosure requirement?
• Remedies– Civil– Criminal
• N.B. Law enforcement action may preclude some/all civil options (temporarily)
Spyware Federal Enforcement
State & Civil Enforcement
Phishing Remedies
• California Anti-Phishing Law--Cal. B&P Code Sec. 22948
• "It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."
Click Fraud EnforcementAgainst Search Engines
• Google settles nationwide
class action for $90 million Lane's Gifts & Collectibles LLC et al. v. Yahoo! Inc. et al. (Ark. Cir. Ct)
• Yahoo settles class action for $4.5 million in attorneys fees plus refund of fraudulent charges. Checkmate Strategic Group v. Yahoo (C.D. Cal.)
By Search Engines
• Google v. Auction Experts International (Cal. Superior Ct. 2005) ($75,000 default judgment)
Attacking Counterfeiting• Tiffany & Co.
– wins $960,000 verdict and injunction against online seller of counterfeit goods
• eBay Litigation– Rolex
• German court rules eBay must take measures to prevent recurrence of counterfeit Rolex postings
– Pending
• Civil RemediesLanham Act/ Copyright Act– Injunctive relief– Damages– Forfeiture
• Criminal RemediesTrademark Counterfeiting Act– Criminal penalties– Forfeiture
• Administrative Remedies– Intl Trade Commission Section
337 - Exclusion Order for infringing items
– U.S. Customs – border seizure
Domain Name Remedies
• Uniform Dispute Resolution Policy (UDRP)
• Anti-cybersquatter Consumer Protection Act (ACPA) – 15 USC 1125(d)– in personam– in rem
Jurisdictional Issues• Foreign actors
– or US actors who fake being overseas– hard to track down the real bad guy
• Amounts not worth pursuing (just fix it and move on)• No jurisdiction over defendant?
Jurisdictional Issues
Legislative Response: Spyware
15 States with Spyware Laws• California law is model
– Prohibits deceptive downloading and/or collection of information– Prohibits taking over third party computer or altering default settings
No Federal Law • FTC Position - already have sufficient authority
Spy Act/I-Spy Act• The Spy Act
– proscribes conduct associated with spyware – notice requirements for adware and other downloadable applications
• I-Spy Act - criminal penalties for spyware• Both passed House in 2004 and 2005
Current Spyware Legislation• H.R. 1525 – I-SPY Act
– 754 words– Passed House by Voice Vote
• H.R. 964 - SPY Act– 5,421 words– Expands reach to include Websites and regulate “unfair” as well
as deceptive– Managers amendment morphed into online privacy bill.– Passed House 368-48
• Opposed by principal sponsors of I-SPY Act
• S. 1625 – Counter Spy Act
Legislative Response: Domain Tasting
• Coalition Against Domain Name Abuse (CADNA)
• Several Large TM owners
• ICANN working group(s)
Questions?