Cybercrime Stories: Sandra
NORTON by Symantec
How does cybercrime affect people? Check out this real-world example. To avoid becoming a victim of cybercrime, learn the basics of online protection.
Sandra is a human resources professional who lives in Miami, Florida. She has used a computer in her job for more than 10 years. At work, her computer is maintained by her organization’s IT department, and she has never experienced any security problems with the computer in her workplace.
Sandra considers herself to be computer savvy and believes that she is at low risk of online fraud for the following reasons:
* She never shops online because she doesn’t want to risk exposing her credit card information, and she doesn’t like the idea that data about her purchases might be stored and used to make a profile of her likes and dislikes.
* She uses her home computer only for personal email with friends and family, to surf the Web for information about new developments in her field, and to do banking once a month via her bank’s website.
* Occasionally she looks other things up on the Web, but not often.
Sandra’s situation seems safe enough, right?
Unfortunately, looks can be deceiving. At work one day last summer, she heard about a new vulnerability specific to the Internet browser she used. It was so critical that emergency patches for all work computers in her organization had been distributed by her IT department that same day. Sandra wanted to be sure her home computer was protected too, so when she got home she went online to get more information about the vulnerability, and to determine if she was protected.
Using a popular search engine, she found a website that offered not only information about the vulnerability, but the option to have a patch for the vulnerability downloaded automatically to her computer. Sandra read the information, but opted not to accept the download since she was taught to download information only from authorized sources. Then she went to the official Internet browser site to obtain the patch.
So, what went wrong?
Unfortunately, as Sandra was reading information about the vulnerability on the first site, the criminal who had created the website was taking advantage of the fact her computer actually had the vulnerability. In fact, as she was clicking “no” (to refuse the download that was being offered), unbeknownst to her the automatic installation of a small but powerful crimeware program was already taking place on her computer.
The program was a keystroke logger. Simultaneously, the website’s owner was already receiving a notification that the keystroke logger had been secretly and successfully installed on Sandra’s computer. The program was designed to covertly log everything she typed in from that moment on, and to send all of the information to the website owner as well. It functioned flawlessly, too–recording everything Sandra typed. Every website she visited and every email she sent was passed on to the cybercriminal.
Later that evening, Sandra finished up her monthly online banking. As she logged into her personal bank account, the keystroke logger recorded those keystrokes too, including confidential information: the name of her bank, her user ID, her password, the last four digits of her Social Security number, and her mother’s maiden name. The bank’s system was secure, and all the data she typed in was encrypted so no one along the route could casually discern the information. However, the keystroke logger was recording the information in real time as she typed it in–before it was encrypted. Thus the keystroke logger was able to bypass the security that was in place.
It was just a matter of time before her bank’s name, her user ID, her password, and her mother’s maiden name were in the hands of the cybercriminal. He added Sandra’s name and information to a long list of other unsuspecting users. He then sold that list to someone he had met on the Internet–someone who specialized in using stolen bank information to make illegal withdrawals. When Sandra went to make a deposit several weeks later and asked for her balance statement, she was shocked to find that her bank account was almost empty. Sandra had been the victim of a cybercrime.