Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Cybercrime More Lucrative Than Drugs 282

prostoalex writes "Yahoo is reporting that global cybercrime overtook global drug trafficking in terms of revenue this past year. In related news, only 4% of Internet users can flag 100% of phishing e-mails as fraudulent, and Americans filed 207,000 reports on cybercrime to FBI."
This discussion has been archived. No new comments can be posted.

Cybercrime More Lucrative Than Drugs

Comments Filter:
  • dotCrime Bubbles (Score:5, Interesting)

    by fembots ( 753724 ) on Monday November 28, 2005 @06:12PM (#14133399) Homepage
    Yeah sure, they'd better party like it is twenty-zero-five, sooner or later they'll run out of idiots like dotcoms ran out of VCs.

    Cybercrime requires constant training, otherwise your hacking skills can be out of date in just a few months. On the contrary, a crowbar-trained criminal can still make a living in today's high-tech security world.

    I foresee in 5-10 years' time, traditional crimes will go mainstream again as many cyber-criminals will be out of jobs^H^H^H^Hcrimes by then.
    • by FooAtWFU ( 699187 ) on Monday November 28, 2005 @06:23PM (#14133492) Homepage
      In 2010, you will probably still be able to send the same sorts of pretty messages pretending to from be J Random AOLer's bank or John Q Public's eBay account, which link you to a site that looks almost excactly the same, and which scrape their email and passwords. The exact same message? Probably not. But take a look at the dozens of Nigerian-419 scams which are still basically unchanged since their inception...

      Petty crime has plenty of 'local' variables like where the police hang out, which places have alarms and electronics, et cetera, but most have similar principles; electronic crimes have different rootkits and different websites to fake and emails to send and addresses to harvest and spam filters to bypass, but again, most have similar principles. Unless you're manufacturing the (crowbar|rootkit/botnet) things won't change much.

    • so does the whole tired ^H^H^H thing make you feel cool? More of a geek than you actually are? I'm kind of sick of seeing it used...usually by people who don't even know what it's all about.
    • Re:dotCrime Bubbles (Score:4, Informative)

      by darkmeridian ( 119044 ) <<moc.liamg> <ta> <gnauhc.mailliw>> on Monday November 28, 2005 @07:50PM (#14134133) Homepage
      Of course cybercriminals make more money.

      Drug dealers are mostly young people a bad neighborhood who have nothing better to do. There was a study (in the book Freakonomics) that said that the average lifespan of a guy who stayed in the business to be around four years. Four years! And considering all that, the money they made in profit, with the jail time, etc., they made minimum wage. Being a drug dealer, the study found, had a significant degree of status and a lottery chance of being a kingpin. And that's about all they get from it.

      Cybercriminals are sophisticated folks. Many phishers for online brokerages have graduate degrees in finance. (This week's Business Week.) They have capital to invest in their enterprise, too. Of course they're going to make more money and get away with it as compared to drug dealers, even the "high" level ones.

      Anyway, I've been crazily modded down recently in weird ways. Look at my history. What the hell is going on? Someone leave me a message.
    • by paranode ( 671698 ) on Monday November 28, 2005 @08:23PM (#14134293)
      ...is to legalize cybercrime.
  • New Slogan: (Score:5, Funny)

    by Shadow Wrought ( 586631 ) <.moc.liamg. .ta. .thguorw.wodahs.> on Monday November 28, 2005 @06:13PM (#14133407) Homepage Journal
    Geeks! Now better than junkies.
  • by Sheetrock ( 152993 ) on Monday November 28, 2005 @06:13PM (#14133410) Homepage Journal
    I've been around the Internet for a long time -- since the early 90s in fact -- and am thus quite aware of the ruinous activities it has been subjected to by the typical user since then. You know, things like people popping into a random USENET group and treating it like a tech support line, or in the larger picture basically assuming the entire network is there to serve as some form of entertainment.

    When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.

    It's a short hop to realizing that the problems we're experiencing with virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.

    Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.

    It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?

    • by maelstrom ( 638 ) on Monday November 28, 2005 @06:28PM (#14133541) Homepage Journal
      I agree completely. I've noticed a similar problem on Slashdot which your solution seems to solve nicely. I recommend we limit posting access to all users who have a greater than 3 digit ID. Maybe raising the barrier of entry will prevent me from having to read half cocked ideas like limiting access to compilers.
      • "I recommend we limit posting access to all users who have a greater than 3 digit ID."

        So in order to have posting access you'd have to abandon your #638 account and get another one?

        I wonder if Cmdr Taco has already reserved # 1,000,000 for himself to avoid being trapped in the 1-999 ghetto.

    • Things are so difficult when it comes to computers because people are so insistent on having their own computers for their own data but don't want to learn how keep those computers secure. They are voluntary fools.

      However, I do agree that we have no reason to put executable code in documents.
    • you're 100% correct...history has shown that limiting the number of thinkers that have access to a problem is a sure fire way to obtain the best solution
    • Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field.

      That doesn't work for doctors and lawyers, why would it work for programmers?

      I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source co
    • by jabbo ( 860 ) <jabbo@nOSPam.yahoo.com> on Monday November 28, 2005 @06:44PM (#14133669)
      > I suggest that the field and the general user experience would be greatly enhanced by
      > limiting access to compilers/assemblers (by means of pricing and with the cooperation of
      > the open source community) and by separating macros or other executable content from
      > documents.

      [eg. the premise: artificially raise the cost of compilers and nastybad people will stop writing viruses, etc. just like gangsters in New York improvised zip guns when guns cost too much... oh, wait, that's a bad analogy... bad people just make do.]

      You should also consider separating "clueless" from "malicious" in your thought process. HTH.

      > Think about it; in what other field do we "educate" "users"?

      Other than prenatal care, disaster response, home safety, poison control, vehicular operation, wildfire control, diabetes management, power tools, gun storage, and how to program your VCR? Can't think of any offhand...

      > We don't try to educate people
      > with electrical outlets and let any curious individual perform as a licensed electrician.

      But we'll sell wire cutters and conduit to any moron at Home Depot, along with a Hole Hawg and a 3 foot masonry bit. Surprisingly, a license is not required to burn down your house as a DIY repairman, nor is it required to pack a thousand pounds of fertilizer, some gasoline, and some nails into the back of a van, detonate it, and cause much worse harm.

      Cars are deadly weapons, as are guns; both require a license to operate, but in neither case does that eliminate fatalities caused thereby. (In fact, on the evening news last night, I noticed that a Class C licensed bus driver rolled over an embankment, killing 2 people and one fetus, injuring the other 39 people on the bus. More than likely, a smaller percentage of licensed commercial drivers do this than, say, unregulated Pakistani mountain bus jockeys, but I have no useful measure of the protective effect conferred by this certifying process.)

      Bad people will still be bad people, and "the cooperation of the opensource community" is not something I think you can depend on for this venture. (cf. PGP and SSL export restrictions)

      Stack protection, virtualization, perhaps legal penalties for willfully distributing software known to pose a risk to the users without their awareness or education (cf. the Theramed); maybe an overhaul of the communications system, and use of (NON-unicode) certificates required for financial communications. I don't know for certain, but I do believe that your rant about compilers holds little relevance to phishing at this point in time.

      Full disclosure: I learned to program on an HP-80 and a Timex-Sinclair ZX-81. I was using Usenet before AOL 'broke' it. And I still think you're chasing the wrong idea.
    • So.... your argument is that the VB novice is the cause of all the security problems around. Why I'm certainly glad we're not blaming the highly skilled and experienced developers at large multinational corporations with 40 billion or so in the bank. You seem to miss the fact that a lot of the time, the application only does what a typical application does, but in a malicious way. Malicious coders will create programs to do this, and gullible users will run it. The other half is that computers have pretty m
    • by reynaert ( 264437 ) on Monday November 28, 2005 @06:56PM (#14133782)

      I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers

      Hah! I shall SAVE THE WORLD with my carefully hidden away TURBO PASCAL 5.0 floppy!

    • by MightyMartian ( 840721 ) on Monday November 28, 2005 @07:19PM (#14133943) Journal
      Back in the old days, we had to shovel coal into our computers. That was way back when Usenet traffic was passed via UUCP and by the sacrificing of virgins (never hard to find in CS departments way back when). Why, I remember alerts going "Keep signatures to 28 characters or someone will come and remove your testicles with a 7/16ths nut driver and some mouldy toast".
      • Oh man, I knew there was an easier way, I should have just sacrificed some virgins. I used to have to walk six miles, uphill, in the snow, to the local 1400 baud modem. Once there I had to wait 2 hours to download the day's newsgroup activity (alt.sex.binaries must have accounted for at least 70% of that time) onto a set of floppies.

        Then I had to walk back, six miles in the snow, uphill (again), and boot up my brand new monochrome NeXT cube. It was the first computer I ever had that was coal free -whi
    • Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser;

      This got modded insightful? Hey buddy, you want me to go sit in the back of the internet because I haven't been on as long as you have?

      Jackass.

    • Yes, it's terrible new people have moved into the neighborhood. I'd like to introduce you to my coworker - she started out hard-wiring programs into an IBM in the 60's.

      Now any fool who can type can come along and they don't even have to hand-assemble their programs! Sheesh!

    • so hex editing a pre-compiled worm to listen to the correct IRC channel would be ok because the scriptkiddie isn't actualy using a compiler.
  • Oil (Score:5, Interesting)

    by Seumas ( 6865 ) on Monday November 28, 2005 @06:13PM (#14133416)
    Yet, I bet both of them combined aren't as lucrative when it comes to funding terrorism as hitting your local gas station for a fill-up.
    • Yet, I bet both of them combined aren't as lucrative when it comes to funding terrorism as hitting your local gas station for a fill-up.

      I dunno, Microsoft seem do be doing all right with their version of the same thing.
    • Re:Oil (Score:4, Insightful)

      by nycguy ( 892403 ) on Monday November 28, 2005 @06:50PM (#14133719)
      While I have no love for the regimes of oil-producing countries in the Middle East and South America, the notion that importing less oil will seriously affect the funding of global terrorism is nonsense. According to the 9/11 commission, the attacks on the US were funded with only about $500,000 (link [cnn.com]). I would venture that the global "budget" for terrorism is only in the low tens of millions of dollars, which is a drop in the barrel compared to the many billions of dollars oil exporters are making. A better argument for importing less oil is that we should not support the prosperity of regimes that have turned a blind eye on terrorism and that deprive their populations of democratic institutions (even if free democracy might result in theocratic leadership in the short term). However, I think that just working to ensure that the income generated by oil is more evenly distributed among the populations of exporters would go much further toward eliminating terrorism than trying to indirectly strangle the funding of groups that can already do quite a bit of damage on a shoe-string budget.
    • So I guess all that extra money we started paying for gas after the 'war for oil' started is going to recruit new terrorists since so many were killed or captured?



      Or maybe what you meant to say was 'fund rich capitalists'.

  • No new law needed (Score:5, Interesting)

    by dada21 ( 163177 ) * <adam.dada@gmail.com> on Monday November 28, 2005 @06:14PM (#14133421) Homepage Journal
    Cybercrime pisses off U.S. black market businesses because it outsources a huge income potential to other countries.

    All kidding aside, I don't personally believe in cybercrime. Some cybercrime victims are merely stupid users, and no law can fix them. Other cybercrimes that do disturb one's property should be covered by laws already in place.

    My fear is that defending the cybercrime idea will only help make more wealthy lawyers and give politicians more abusive power.
    • All kidding aside, I don't personally believe in cybercrime. Some cybercrime victims are merely stupid users, and no law can fix them.
      So, con artists are O.K. because their victims willingly surrender to them whatever they want???
      • Re:No new law needed (Score:3, Interesting)

        by dada21 ( 163177 ) *
        Yes. If people would learn to provide contracts to protect themselves, we wouldn't need laws to protect them. Time creates intelligence, government takes it away.

        I pass on so many contracts daily because the power of contract is now only a corporate priviledge. I won't sign anything without cutting out portions, and often companies won't let me be a customer without accepting their contract. In a market where people's expectations are tied to a contract, I doubt this would happen.

        Con men take advantage
    • Re:No new law needed (Score:4, Interesting)

      by ScentCone ( 795499 ) on Monday November 28, 2005 @08:55PM (#14134422)
      I don't personally believe in cybercrime

      That's like saying you don't believe in wire fraud, or don't believe in insurance scams. The point is that it's a class of criminal activity that wouldn't exist without the internet. The internet doesn't create those crimes, but those particular crimes couldn't exist without it. Just like cars don't cause auto theft, but without which, it wouldn't happen. Do you believe in the theft of automobiles? I don't need to believe in it - it's real no matter what I label it.

      Some cybercrime victims are merely stupid users

      Which users are those? Surely you're not suggesting that people, out of stupidity, inadvertantly transfer their life's savings into an offshore bank account owned by the Russian mob? Or do you mean users that are so dumb that they accidentally go online and have expensive electronics shipped to someone they don't know in the Bronx? Maybe it's stupid users that are so dumb that somehow they cause someone else to get a line of credit with their personal info? Obviously that's all BS... only the actions of the Bad Guys can actually leverage someone's ignorance and steal their money or fraudulently use their ID in the commission of a crime. Again: you don't have to believe in those acts... they're happening all around you, and not just because someone's grandma isn't savvy enough to see through a phishing scheme. The fact of her ignorance doesn't cause the guy in Russia using a zombie machine in Korea to send her that fake e-mail and then run off with her cash or reputation. Her igornance is a weakness, just like the glass windows on your house are a weakness that another sort of criminal easily exploits.

      My fear is that defending the cybercrime idea will only help make more wealthy lawyers and give politicians more abusive power.

      If you're worried about that, then why worry about other compartmentalized flavors of crime? Securities fraud involves some particular methods, practitioners, and types of victims. Enough so that we have a special name for it, even though it's still just basically deceit and theft. If specialized pursuit and prosecution of a certain type of crime is just going to make lawyers rich and politicians abusive, then would you recommend backing off of the guys that ran Enron's investors into the ground because we already have laws against theft and fraud?

      We live in a highly specialized civilization, and need to deal with criminal specialists with specilialized laws and enforcement.
  • Drugs and prostitution should not be cyber crime. Neither should crimes relating to information freedom... so all that leaves are the phishers?
  • guess it's time to switch jobs ;-)
  • 10% (Score:2, Interesting)

    by GigsVT ( 208848 )
    I once read that 10% of all trade worldwide is underground, dollar for dollar (or peso for peso or whatever). That's trillions of dollars.

    I wonder if aggregate underground economy percentages have increased, or if more traditional underground trade has just moved online.
    • Re:10% (Score:4, Funny)

      by grumpyman ( 849537 ) on Monday November 28, 2005 @06:42PM (#14133645)
      Undergraound economy... do you mean eBay?
    • Re:10% (Score:2, Insightful)

      by eagle0468 ( 783230 )
      This is just opinion based on perception, but I would guess that the black market may be equal in volume of sales, but lower in capital gains due to the prices being so much less. Also, I would predict that both of those levels fluctuate with the rise and fall of economies throughout the world. I.E. the black market in China may be dwindling with the rise of capitalism there. Whereas, it seems the black market in Russia is thriving due to the lack of governmental oversight and increase in corruption. Of
  • by RealisticCanadian ( 850967 ) on Monday November 28, 2005 @06:22PM (#14133470) Journal
    I've yet to understand the supposed principle that the Powers That Be or the Media could possibly figure out any kind of accurate figures on illegal activites.

    Dunno 'bout the rest of you guys here, but I never told the police or the press how much profit I made back when I was a small time dealer (can't touch me, young offenders act! :p)

    If I didn't, you can be damn sure that big-time or organized criminals do not share these figures either.

    Neither do the users. (How many crack-heads report the amount they spend on their habit?)

    So what the hell is the premise on which these "statistics" have ever been based on?

    I can think of a few ways to fudge up some statistics about people screwed outta their money on the net, but I can't see a way to truly gauge that either. Again, if I fell for the "send me a grand and I'll send you a million" I sure as hell wouldn't tell anyone I was that stupid.

    Hence, I dub the entire original article as BS, just like the 'War on Drugs' and even the 'War on Spam' /end rant :p
  • min wage (Score:5, Informative)

    by Jeffrey Baker ( 6191 ) on Monday November 28, 2005 @06:23PM (#14133493)
    According to the book Freakonomics, drug dealers make less than the minimum wage, on average. It would not be hard to beat that level of productivity in any undertaking, criminal or not.

    As for the phishing problem, I really don't understand why people fall for those. Your bank, or eBay, or Paypal, will never, ever, ever, ever, ever send you an email asking you to disclose any account information. If those people want to contact you for an important reason, they will either call or send you actual mail. This seems like a simple rule to remember, doesn't it?
    • "Your bank, or eBay, or Paypal, will never, ever, ever, ever, ever send you an email asking you to disclose any account information."

      They say that, but they ask me to sign into my account to see the latest balance transfer offer or to sign up for "account guard" all of the time.

    • How about when "Amazon" sends you a $25 coupon--just click here! It takes a bit more to realize you are on www.amazon.com.bleh.meh/coupon instead of amazon.com when you enter your login information. And Amazon does send those kinds of emails.
    • I think the conclusion wasn't that drug dealers make an average of $5/hour but that the typical drug dealer makes that amount. Median salary rather than mean. Obviously there are several fabulously wealthy drug dealers; it's just that there are scores of footsoldiers who make very little.

      So overtaking drug earnings is still big news.
      • Yes. If you've read the book, he compares the drug business with McDonald's. McDonald's also has some highly paid executives.
      • Obviously there are several fabulously wealthy drug dealers; it's just that there are scores of footsoldiers who make very little.

        Replace "drug dealers" with "CEOs" and you'll get a very good indication of why people sell (and use) drugs. The opportunities for advancement are better, your enemies identify themselves clearly (by shooting at you) instead of manipulating office politics, and you die if you fail, so there's no messy bankruptcy/reposession process if you're young, or humiliating retirement/de

    • According to the book Freakonomics, drug dealers make less than the minimum wage, on average. It would not be hard to beat that level of productivity in any undertaking, criminal or not.

      But is the average drug dealer a full time dealer or on top of other income? And by other income I also mean social security and other things you won't get along with a regular job. Is it their way of being able to afford their own habit, instead of being a hobo because they're stoned and couldn't keep a real job? Or are the
    • This seems like a simple rule to remember, doesn't it?

      If I give you my credit card number will you write it down for me?

  • Read the fine print...

    "No country is immune from cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy, said Valerie McNiven, who advises the U.S. Treasury on cybercrime."

    So "child porn" and "piracy" makes more money than the drug trade? I don't think so...

    • "No country is immune from cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy, said Valerie McNiven, who advises the U.S. Treasury on cybercrime."

      So "child porn" and "piracy" makes more money than the drug trade? I don't think so...

      Sure they do. Let's use the numbers favored by the RIAA and MPAA, the foremost industry advocacy groups dealing with this scourge of "cybercrime."

      50,000,000 American teenagers * $1,000,000 in economic damage per pirated MP

    • If you look at what the Industry thinks its losses from piracy are, its plausible. Of course, it does bring up the problem that the drug trade fuels cost estimates for piracy, since they've gotta have alot of analysts smoking crack to come up with the piracy losses they claim.
      • It's ONE thing to say that piracy causes the RIAA/MPAA to have "lost revenues". That's at least an arguable point.

        It's ANOTHER to say that piracy has more INCOME than the drug trade.

        Now, pirated items "sold" over the internet like actual goods, yeah, that's revenue. But I highly doubt that number has overtaken the drug revenue number. But you KNOW they're including all the free traders on the p2p services in those numbers just so they can scare people into tighter legislation.
    • This includes piracy. The movie, record, and software industries routinely claim extremely, ridiculously high losses from piracy to cover up the fact that they make crap that no one wants.

      In other words, this article is almost certainly BS, which you could have just assumed when you saw Reuters.
  • 4% is bogus (Score:3, Informative)

    by jhliptak ( 619614 ) on Monday November 28, 2005 @06:26PM (#14133518)
    I took the e-mail test and I "failed" it, identifying two "legitimate" e-mails as bogus. In both of those cases, the explanation said it would better not to follow the links in those two e-mails.
    • I did that - the two that I said were bogus were because the domain names weren't the same as the originating organisation's domain name (which was a sensible move).
    • Re:4% is bogus (Score:3, Insightful)

      by mysqlrocks ( 783488 )
      I took the test and got all but one correct. I identified one legitimate e-mail as a phishing attempt. When given the choice I guess it's better to err on the side of caution. Anyways, it's not very realistic. The one I got wrong had the last four digits of an account number in it. If I'd gotten the e-mail I'd open up my wallet and see if my account number matched.
      • Re:4% is bogus (Score:3, Insightful)

        by remahl ( 698283 )
        So what if the phisher had intercepted a previous mail from your bank, containing the bank account number suffix?

        If they gain control of a large mail server or active router, they could easily and reliably associate thousands of account digits with the correct email addresses, and use that information to gain credibility. Email that's this important should be sent encrypted for the receiver and the signature verified against a certificate exchanged when the account or service was established.
        • Firstly, most phisers (phishermen? :) wouldn't and couldn't go to those lengths.

          Secondly, there is no "standard" (as in supported by ALL clients) method for encrypting emails. I know most OSS clients support PGP, but Microsoft Outlook Express doesn't and thats what many people use if they are not using web-based email.
    • Me too, (I'm guessing we fell for the same examples).

      Showing that the financial institutions are doing their part in confusing people. There were definite evidence of phishing in those messages (bank name being a sub domain of an obscure domain and a variation of the primary name). Why does Bank of America point its customers to bankofamerica1.com if they're aware of phishing issues?

      Even with edge-cases like this removed, I doubt the results would be much more encouraging. But 4 % success rate is worse tha
    • Re:4% is bogus (Score:2, Insightful)

      by KenAndCorey ( 581410 )
      I think most of us failed the same two: #3 and #9 I believe. One of the legit emails had a link to a different domain AND went to a non-standard port (8082). I'm sorry, but just because something is technically legitimate doesn't mean I should have trusted it. I don't open ANYTHING that tries to open a non-standard port. Also, I find it really easy to spot phishing since I don't have an account at Capital1 or EBay or Bank of America.
    • Re:4% is bogus (Score:5, Insightful)

      by Agelmar ( 205181 ) * on Monday November 28, 2005 @07:08PM (#14133876)
      I have a real problem in that they expect me to be able to tell just by looking at a screenshot from (what I believe to be) Outlook Express. I can't hover over links to see if the URL matches the displayed text, I can't look at the message source, and I sure as hell can't see the headers. How am I supposed to be able to tell for sure without this? Sure, I can get most of them, but #3,9 for example would be very nice to see the headers of.
    • Yeah yeah, we all were suspicious of #3 and #9. But read the quote again: "only 4% of Internet users can flag 100% of phishing e-mails as fraudulent". The only way you fail to be part of the elite 4% is if you misidentify a phishing attempt as a legitimate one, which you did not do. You, like myself and everybody else commenting here, correctly identified all the phishing attemps as such, which is the statistic they're quoting. The fact that we're so paranoid we sometimes distrust legitimate mails as w
      • The test was also not entirely fair since it only showed images of the emails. For this kind of thing, I always hit view source, and read the headers and the markup before making a decision - and then usually go to the site by typing in the address and logging in manually, rather than clicking on a link.
  • It's somewhat unsurprising that a variety of con artistry should overtake a variety of contraband trafficking and sale in profits without too much trouble, when it comes down to it. After all, a good deal of cybercrime doesn't actually provide a service or a product, in order to acquire its profits, while markets in contraband goods, being markets after all, need to contend against competitive pricing and provide a product subject to some degree of genuine scarcity (varying greatly, depending on the produc
  • Inflated numbers (Score:4, Interesting)

    by thinmac ( 98095 ) on Monday November 28, 2005 @06:31PM (#14133561) Homepage
    These numbers are almost certainly very sketchy. They list piracy and stock manipulation as part of the total funds brought in by cybercrime. If they just mean people selling pirated software that's one thing, but if they mean people downloading MP3's, then that's different; nobody makes a dime when someone downloads the newest pop hit off the internet, as much as the record companies would like you to think someone just pocketed $15 of their money.

    With the stock manipulation, this is also a pretty nebulous number. Did they include only verified cases of people doing this? What did they consider manipulation? The article is very thin.
  • by sielwolf ( 246764 ) on Monday November 28, 2005 @06:31PM (#14133563) Homepage Journal
    cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy

    That's a pretty open-ended definition. So is old-school white collar insider trading or shenanigans now Cyber-Crime just because they do it from a workstation? It'd be interesting to see just what is a cyber-crime now and how it breaks down into that total 150 billion dollars they just throw out there. Of course such data might pop the balloon of FUD as delicious as this.
    • That's a pretty open-ended definition.

      I didn't read the article (a great Slashdotter mantra), but I imagine that their definition of "drug dealing" is a pretty open-ended as well. Sure, there is cultivating, manufacturing, and distributing - Do they account for drug-related paraphanelia? (Those glass-blown tobacco-pipes/Bongs gotta cost something) Do they account for drug-related crimes and profits? (prostitution, theft, and gambling are tied into drug dealing as well)

      Of course such data might pop the b
    • Piracy? Piracy?! I think not, sir. Since when was access to a computer a requisite to piracy? Here're some reminders [google.com]...
  • if you mark all of them as fraud, you 'fail' the test.

    I consider all email from commercial entities as fraudulent.
    • I have to agree here. Accidently considering a genuine commercial email as fraud is not an "error" under any realistic sensibility. You know they did the test that way intentionally just to get an artificially low number.
      • Especially since some of the companie's legitemate e-mails contained links to sites outside of their domain (eg. the Capital One e-mail).

        Assuming their message doesn't get caught by my spam filters, it will never get past my own two eyeballs.

        If a company that I do business with wants to e-mail me something, they'd better just say "go to our website" because I (and many others) won't ever give it a second look otherwise.

        • The capital one is the one I got hung up on too, and even in the "why?" link, it suggests that you shouldn't click on any of the links in the email, and just open a web browser and go to the site directly because it's suspicious.

          I protest... that should have counted as correct.
  • You mean there's a difference between those two?! I thought kiddies do drugs! It's an onomatopoeia!
  • Because what gives a lot of phishing attempts away - certainly the better ones - is information in the mail header or URLs linked in the text. But we're not shown any of that, so unless they have loads of grammatical errors etc, it's impossible to tell if they are genuine or not.
  • I looked at that test, and it was annoying. I doubt I could have got 100% on it, yet, I have never been nailed by phishing spam.

    What was annoying? I was supposed to judge the validity of the emails from a jpeg - not from looking at the acutal links on the email. I mean, if I get an email from my bank, and the URL that they send me is NOT the same as my banks - then I know it is phishing spam. I do this because I can tell by the domain/subdomain in the links - not by how the mail "looks".

    Having said that, I
  • Well, there we go. Empirical, definitive proof. People are stupid.
  • The test is bad (Score:5, Insightful)

    by jmv ( 93421 ) on Monday November 28, 2005 @06:36PM (#14133603) Homepage
    In related news, only 4% of Internet users can flag 100% of phishing e-mails as fraudulent

    Had a look at the test [mailfrontier.com] and this is not surprising. Basically, they just take a screenshot of the mail reader window, ripping out any info (headers, html source) that could be of any help. Not to mention that as long as you assume anything you get from your bank/ebay/paypal/... is *potentially* a phishing e-mail, you don't have to actually be able to tell the difference. Education should not be about recognizing phishing emails because phishers will always be ahead. However, if you *never* click on a link and always use bookmarks (to bank and all) you have, then there's nothing a phisher can do. Of course, education should also be for institutions like my bank which includes its website URL in emails they send me (they're encouraging their customers to learn bad habits).
  • Perhaps I'm a luddite, but I was one very early on. I've always had the policy of never putting my credit card number online. In the old days (Early 90s), it was because most "retailers" didn't even bother encrypting the numbers in their database. Hell, there was no way of even knowing that the store even existed in the first place, the earliest form of phishing. Now a days, I assume EVERY email I get that asks for any information is from a criminal.

    With the advent of temporary credit card numbers, I fe
  • They have been involved in Cybercrime for years. Each time they force-feed a copy Windows down people's throats. Made them rich.
  • only 4% of Internet users can flag 100% of phishing e-mails as fraudulent
    No. Half the examples in that test require users to identify suspect emails as Legitimate. Sure enough, few people (especially the ones who practice 'safe browsing' by default -- i.e. tell no one nothing ever) will score 100% by trusting all those suspect examples.

    Users can be taught to default to "NO". They are learning.

    That said, user credulousness would be a problem even if 99% of users had identified all the fraud examples as fr
  • The only way to deal with phishing is to *never* give whatever secure information in response to email you didn't initiate. Unless you're Jon Postel (and I believe he's now dead) you simply can't distinguish between legit emails and top quality phishing, no matter how loudly the idiot snobs here insist otherwise.
  • by RingDev ( 879105 ) on Monday November 28, 2005 @06:43PM (#14133660) Homepage Journal
    That test is a waste. The 'emails' are image files, so you can't see where the actual links point to, you can't see the email header or the true from address. Anyone who nails 100% is more lucky then savey.

    -Rick
  • only 4% of Internet users can flag 100% of phishing e-mails as fraudulent

    So only 4% are using text only mail readers like pine? And the rest are looking at the Paypal graphic in the HTML email and deciding the email is genuine?

    Poor bastards.

    More meat and less bun in a mailreader makes fakes trivial to spot.

  • It occurs to me that only the illegal drug and software industries call their customers "users".
  • I don't believe this for a second. The amount of drug money that is laundered through the US every year is way more than $100,000,000,000. I've heard figures as high as $600,000,000,000, and those figures are a couple of years old.
  • by Mr. Cancelled ( 572486 ) on Monday November 28, 2005 @07:40PM (#14134064)
    One's a crime of greed, while the other is a crime of demand (although plently of people get into the drug business solely for the income potential).

    If there wasn't a demand for drugs, there would be no drug trade. Conversely, the only reason to steal from others is always greed. Some might steal for fun *cough* winona ryder *cough*, but theft (in person, 3rd person, or via cybercrime) is almost always due to greed. Big difference there... One's there as a result of people wants, and demands. The other is largely parasitic, and exists solely to leech off people.

    Personally, I'd rather see my government invest more of our tax dollars into protecting our identities, and investments, as opposed to busting generally harmless dope smokers, and their suppliers (In case you didn't know, marijuana smokers are the most commonly targeted drug demographic these days, and the majority of our tax dollars, go towards fighting marijuana, while proven "bad drugs", such as meth, ruin lives, and run rampant throughout the country).

    The reason for all this is greed. The big companies almost write their own laws these days, and meanwhile more and more of our freedoms our lost, as our lawmakers focus on giving their funders (not constituents!) what they want. And surprisingly, things like Cybercrime continue to grow, and be largely ignored (Note, I'm talking real crimes, such as identity theft, phishing, and so on. Not downloading music and videos, which IMHO should be near the bottom of our list of priorities) .

    Personally, I'd like to see a major change in how we handle crimes in this country: Elevate identity theft, and other life-altering crimes to the level they deserve, focus our energies and money on bettering our country, and removing our dependence on other countries for our very existance, and stop focusing on the average downloader as being the worst thing to hit the US since Pearl Harbor. Meanwhile, start fighting the real drug problems that are facing our country: Meth, Cocaine, Heroin, and so on, rather than going after the "low hanging fruit", marijaua users, which are largely chosen simply for the ease of busts, and the profit available to cops for doing so.

    It's all about priorities, and right now our lawmakers top priorities are largely themselves, as evidenced by recent [cnn.com] events [cnn.com].
  • Probably piracy makes up 90% of their numbers, and we know that the RIAA, MPAA, and their proxies world-wide probably over-estimate their figures by claiming that everyone who downloads something will not buy it. The article doesn't show the numbers breakdown...

    ttyl
                Farrell
  • I took the test and got 50% ... but not because I was fooled by half the pfishers. They were frauds because I do not have accounts with any of the supposed senders.

    Maybe the test should say: "IF you had an account with the following entities, would you consider this a genuine or a fake email from them?"

  • That 4% number seems rather suspect to me.

    If you take a look at the survey it not only checks to see if you can spot a fraud, but if you can spot a legitimate email too, and marking a legitimate email as a fraud, which in real world terms is harmless, is given the same penalty has marking a fraudulent email as legitimate... Even in the explanation they say that the message had red flag yet was legitimate, so what's supposed to be the lesson learned here? That users also have a hard time spotting legitimate
  • by tigertiger ( 580064 ) on Monday November 28, 2005 @08:22PM (#14134284) Homepage
    Ah, journalists... So let's do some homework for them.

    So for all of us who are busy googling for this person, the name is not Valerie McNiven, but Valerie McNevin. She is a lawyer, worked for the state of Colorado in about 2002 and then for the World Bank and is now [yahoo.com] with a private company, Cybrinth, LLC [cybrinth.com] which does consulting on cyber crime. The Reuters correspondent did not bother to reveal this.

    The article itself is rather confusing - he is actually claiming that cybercrime is perpetrated by "idle youths looking for quick gain"? In the Third World?? And just for fun, once the Reuters dispatch gets rewritten, she turns into a cybercrime guru [securitypronews.com]...

    Now, how she gets the number of more that $100 bn being made by cybercrime, I have no idea. I guess it includes the $40 bn revenue Microsoft makes each year...

  • by Phanatic1a ( 413374 ) on Monday November 28, 2005 @09:10PM (#14134491)
    only 4% of Internet users can flag 100% of phishing e-mails

    I took the test [mailfrontier.com] the linked-to article cited as the source of data for that 4% claim. I only scored 80%. Does that mean I flagged only 80% of phish attempts? No, it doesn't. I flagged 100% of the phishing attempts as exactly what they were.

    I had two false-positives, which lowered my score. But false-positives are quite a bit safer than false-negatives. In each case, the 'legitimate' email linked to different domains than the origin; the one from Bank of America linked to bankofamerica1.com, and the one from CapitalOne linked to a really odd domain, bfi0.com. That second one is a *huge* red flag, regardless of the content of the email, you'd have to be very trusting or do some extra research in order to *not* flag it as a phishing attempt.

    Only 4% of users might score a 100% on that quiz, but that's not at all the same thing as saying that only 4% of users can't flag all phishing scams as such.
  • Sales data? (Score:3, Funny)

    by HermanAB ( 661181 ) on Monday November 28, 2005 @09:34PM (#14134598)
    How accurate can sales figures of illegal drugs and online fraudsters be? Do all drug dealers and fraudsters submit honest tax returns for their illegal sales?

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...