Do you know how to report a computer crime? Or even who you would report it to?
So far, we have looked at phishing and SQL injection attacks, trolling, unauthorised email account access and malware in our series of articles on how to report a computer crime. In this article, we'll look at fake anti-virus.
We'll look at what offences are committed in different countries when a crime like this happens, how you should report the crime, and what evidence you can preserve that might help in the subsequent investigation.
Take this scenario:
Peter is browsing the internet at home using his PC and lands on an adult content web portal. He sees a hyperlink offering to download an X-rated movie. Peter downloads the file.
Peter has the option “Hide extensions for known file types” selected in the folder option of his user account settings, so he is not aware of the fact that the file he has downloaded is in fact an executable file and not the AVI file it is masquerading as.
Peter runs the file and nothing appears to happen. He attempts to access Windows Task Manager but he finds he is unable to. After about two minutes, the icons on Peter's desktop disappear and he is presented with a scrolling window that appears to be scanning the contents of his hard drive. Once the scan has finished, Peter is told that his computer is infected with over twenty pieces of malware.
This, of course, isn't the case; Peter is infected with Trojan/FakeAV-GCK which he had downloaded from the web portal.
Peter has an anti-virus application installed, but received no alert at the time of the download because the fake anti-virus malware was a new variant.
Peter telephones the customer support number displayed by the fake anti-virus application and reads out his credit card number to pay for the 'license fee' of 85 pounds. He is given a 'license key' and enters it into the fake anti-virus which then completes its quarantine and cleaning cycles and declares that Peter’s PC is clear of malware. Of course, the real malware is still on his computer.
A day later, the malware is detected by Peter's anti-virus software following a signature update.
The fake anti-virus operation, including the call centre processing the fraudulent payments, is part of the activity of an online criminal group. The cybercriminals' intention is to infect as many computers as possible in order to generate money by tricking their victims into believing they were infected with multiple instances of malware.
What are the offences?
In this scenario, two primary offences have taken place which can be broken down like this:
Firstly, the cybercriminals performed an unauthorised modification in relation to a computer.
It is unauthorised because they did not have permission to install the malware on Peter’s computer. He believed he was running a movie file and had he known the full circumstances he would not have consented to the cybercriminal’s action.
The cybercriminals knew that this activity was unauthorised. They intended to impair his computer by preventing access to the Task Manager, and then falsely reporting the PC was infected.
Secondly, the cybercriminals committed a fraud by false representation.
Peter has been tricked into believing his computer is riddled with malware. As a result of that deception, he made a payment unwittingly to the cybercriminals in the belief it would resolve the malware infections.
The legal bit
We've focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.
In the UK, most computer crime falls under offences covered by one of three pieces of law:
Other associated crimes could include Conspiracy or Money Laundering offences, but victims of computer crime are more often than not affected by at least one of the three acts listed above.
In this case, the cybercriminals commit two offences. The first, Unauthorised Acts with Intent to Impair, contrary to Section 3 of the Computer Misuse Act 1990, is committed when an offender modifies a computer with intent to impair the functionality of that computer.
The second, Fraud by False Representation, contrary to Section 2 of the Fraud Act 2006, is committed when Peter is tricked into believing his computer is infected.
In this instance, false representation is made both with and without human intervention. The call centre operator takes part in the deception and the malware falsely indicates that the computer is infected. The false representation may be express or implied.
In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers.
This is what the cybercriminals contravened when they disseminated the malware.
The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:
- Unauthorised Use of Computer
- Possession of Device to Obtain Computer
- Mischief in Relation to Data
- Identity Theft and Identity Fraud
In this case, both Section 342.1 Canadian Criminal Code (CCC) - Unauthorised Use of a Computer - and Section 430(1.1) CCC - Mischief in Relation to Data (damaging data) - were contravened.
Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.
In this scenario offences falling within Section 86 CLCA were committed.
Reporting the crime
In the UK, when a crime has taken place it should be reported to the police, so Peter should immediately report it at the local police station.
A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK's investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.
There is also an alternative reporting body for internet-enabled crime: Action Fraud.
Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.
The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).
Two Federal LEAs have a remit to investigate some computer crimes:
- The Federal Bureau of Investigation (FBI)
- The United States Secret Service (USSS)
In this case the crime should be reported at the FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.
The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes, but they also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.
A computer crime victim, like Peter, should report the incident to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.
Peter should report the crime to the Australian State or Territory Police.
Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.
Preserving the evidence
Peter may want to consider preserving the fake anti-virus alert by taking a screenshot of the PC. If the malware is preventing Peter from doing this, he could take a photograph of the screen. Peter should also write down the telephone number he dialled to make the payment.
Any subsequent genuine anti-virus alerts should also be recorded.
Important: Peter should also immediately inform his bank of the fraudulent activity. The bank may recommend he changes his bank card as he has passed its details over to criminals.
Peter should also ask his bank to preserve all account information relating to the fraudulent transaction, and tell them that the matter has been reported to the authorities.
Finally, Peter should keep all of his own personal bank correspondence connected to the incident.
Peter should run a malware removal tool to identify and clean up the infection. (Sophos has a free Virus Removal Tool which does just this.)
As the effects of different kinds of malware vary considerably, Peter should also talk to his anti-virus vendor for advice on any other remediation he should perform which is particular to the kind of malware he has.
In future, Peter should always exercise caution when running programs downloaded from the internet, verifying by comparing checksums if they are available.
He should make sure his anti-virus signatures are kept up to date, and that his operating system and applications are patched.
Peter should also modify the folder options on his computer to display file suffixes. Malware authors often take advantage of the fact that hidden file extensions can cloak the true nature of the file displayed. Below are two screen shots of genuine fake anti-virus - one shows the file with its extension hidden and the other shows the file with the extension displayed, revealing the file is in fact an executable.
To make sure file extensions aren't hidden, Peter will need to make a change to his Folder Options. How you do this varies by system, but in general the “Hide extensions for known file types” box should be unchecked.
You can do this in XP like this:
Or Windows 7 like this:
In general, it's important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.
If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.
The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.
We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.
All of the scenarios are made up and the characters depicted bear no resemblance to any person.
Naked Security gratefully acknowledges the assistance of the following organisations in preparation of this series of articles:
UK Police Central e-Crime Unit
United States Federal Bureau of Investigation
United States Secret Service
Royal Canadian Mounted Police
South Australia Police