Anatomy of a Web Scam
I only know one thing about the job description of Steve Case, head of America Online. He has to write lots and lots of letters. "CaseLetters." He has a mandate to reassure customers at length that his staff is working day and night on the problem of the moment. (Imagine if you got in your car one morning and found a note from the manufacturer explaining how dang hard they are working to track down that weird squeak you hear every time you hit a speed bump.)Last week a colleague pointed me to a website featuring what looked like another classic CaseLetter. It said "Community Update from Steve Case" at the top and contained all the usual words like "improve" and "commitment" and "work extremely hard." But though his face and written signature adorned the page, Steve Case -- and America Online -- did not know it existed. The mass e-mail that had urged users to visit the page for a "required update of your information on our new servers" was phony too.Having a morbid fascination for scams online and off, I was intrigued.I read down the page for the hook. A couple sentences in all capital letters, always a bad sign, stood out. "YOU MAY EITHER READ ABOUT THE STEPS WE HAVE TAKEN, OR JUST UPDATE YOUR INFORMATION ON OUR NEW SERVERS." A handy "update" button appeared at this point.I clicked on the button. My web browser indicated a "secure connection," certainly intended to reassure, and displayed an astonishingly comprehensive form. Name, address, home phone, work phone, date of birth, AOL account name and password, credit card number and expiration date, social security number, and mother's maiden name were among the items requested.(The perpetrators have not yet been caught, so one can only guess what this information was to be used for. Massive cash advances and shopping sprees, I would think.)Mark Ward, a Chicago man whose name, home address and home phone number all appeared on the official registration record for the site, said that it was created (and paid for with his credit card) without his knowledge or consent. The first time I talked to him, he hadn't heard anything about it and sounded bemused. Later, he found it "scary." A company called RapidSite in Boca Raton, Florida was the host for the pages, though they had no idea of the contents when I dropped an e-mail note just after 9:00am on the day I learned of the scam. System Administrator Scott H. Adams sent me a short reply about "free speech" and asked for more information. At 9:18, he wrote me again. "AOL just notified us about this scam and we are taking down this site ASAP."All told, the site's lifespan was less than 24 hours. The scam is gone, but the morals live on:Don't believe everything that pops into your inbox. More jaded readers will have already learned this lesson, after seeing multiple variations of the "he woke up in a bathtub full of ice and his KIDNEYS WERE GONE" story for example. E-mail return addresses are simple to forge."Security" has two parts. Ironically, all the data the rogue site received from its victims was protected from snoopers by an encrypted "secure server" connection. But the connection is only one part of security -- the people on the either end of that connection are the other. Looks can deceive. In addition to the Case face and signature, the site bore the seals of two trusted Net security firms: RSA (which licenses some of the most commonly used encryption technology in the world) and VeriSign (which is in the business of verifying digital identities for financial transactions). Neither company was aware of the use. Be careful with your personal information. On a secure server run by a trusted party, you shouldn't worry about your credit card info any more than you do when you hand the card to a clerk. But if you have any doubts, refrain. Few entities other than employers have the legal right to ask for your social security number. And mother's maiden name? That should set the alarm bells a-ringing.These four points are all good advice, but I have saved for last the most important rule of all: Never trust anybody who types sentences in all caps. ***Sites in my SightsOnline scammers are just following in the footsteps of pioneering shysters who work in older communications media. For the story of a classic con, read up on the "Nigerian Scam" (home.rica.net/alphae/419coal/)Don't Just Sit There, Sit There and Do SomethingHave a scam (or suspected scam) that you'd like to report? The National Fraud Information Center cooperates with the Federal Trade Commission and other agencies to track Internet, phone, and mail scams. You can use their hotline (1-800-876-7060), website (www.fraud.org) or e-mail address (firstname.lastname@example.org).I'm always interested in scam news. Send a letter in care of this publication, drop a line via e-mail (email@example.com), or visit the Cyberia website (www.well.com/user/pb/cyb).