One of China’s major car companies, Great Wall, which is Hong Kong listed and also one of the biggest non-state motor manufacturers, has accused Fiat of secretly photographing its production line and stealing information on its new models. Perhaps there’s nothing unusual about that, but for the fact the Chinese argue that Fiat engaged in this perfidious activity while gathering evidence for its own claim that Great Wall had copied one of the Italian company’s models. This is where things get sticky, as well as perverse.

Fiat has a compact car called Panda, and an Italian court handed down a finding in 2008 that a similar vehicle called the Peri that is produced by Great Wall was in fact an imitation of the Italian model. As a result, sales of the Peri have been halted in Europe. The Chinese are currently in litigation to have that decision overturned. Meanwhile, they claim that while Fiat was gathering evidence on the Panda case, it secretly engaged in industrial espionage at one of Great Wall’s production facilities. The Chinese are now suing Fiat and they’re citing as evidence the very evidence that Fiat itself has presented to a Chinese court to prove that it was Great Wall that did the dirty deed in the first place. Now that’s the sort of convolution that gives convolution a bad name.

This doesn’t only happen to major companies in a globalised system. A firm of any size can encounter such problems, and they’re not only unamusing – they’re inordinately expensive and time-consuming. Fiat alone has lost two related cases it tried to run through the Chinese court system, only to find that Great Wall is now demanding compensation as well as an apology for the commercial espionage in which Fiat is alleged to have engaged.

There is a salutary warning in this for any manufacturer of products in which emerging economies may take an interest. Competition is ruthless and marketing tactics aggressive. You need to know what you’re up against and where your vulnerabilities lie. In the case of China, breaches of intellectual property and counterfeit products are commonplace in many industries, with Chinese companies increasingly willing to counter-sue if accused of wrongdoing.

It pays to call in a team of professionals that will not only define for you the dangers involved but also protect your company’s operations on an ongoing basis. The most experienced groups use sophisticated methods of forensic investigation and state-of-the-art technology to home in on what you’re confronting. Only when you see it at work will you appreciate just how exposed you’ve been all along.

The notion of being open and passing everything on is bolstered by stories like the following, which suggest that because everyone’s participating in one way or another, we can easily sit back and enjoy the freedoms that come with this ‘global electronic community’.

Until recently, the wife of the new head of the British Secret Intelligence Service – the country’s external spy agency, commonly known as MI6 – had a Facebook page. It had no privacy protection so details of the family’s London home, daily transport arrangements, vacations and friendships with other senior British officials were freely available to some 200 million users around the globe. The page was speedily removed when its contents were published in the media, raising more than a few eyebrows in the intelligence world in London and beyond. You see, Sir John Sawers, who was Britain’s ambassador to the United Nations when his appointment was announced in mid-2009, was once an MI6 officer himself and should have been aware of the implications of his family’s networking profile well before his new job was broached. After all, he had worked in places like Yemen, Syria, Egypt and Iraq, and also been closely involved at the policy level with Iran, Iraq and Afghanistan.

James Bond would have smiled wryly at that one, especially at the unflattering image of Sawers at the beach in his Speedos. “How could the Chief himself be party to the trivialisation of something so inherently dangerous?” he might have quipped.

The impression that openness is the name of the game in social networking is reinforced when we read about the activities of someone like Barney Jopson, who is the US ambassador to Kenya. Though he’s a diplomat, he has made himself a thorn in the side of the coalition government in Nairobi because of his constant use of Twitter to hector political leaders over the need to quicken the pace of political and economic reform. Posting under the name of USAMB4REFORM, he comments regularly on events that strengthen his message, greatly annoying his hosts.

It’s logical that many people ask why, if an ambassador can enjoy the freedom of cyberspace in this way, should they not also liberally indulge. The short answer is they can, so long as they remember two things. One is that freedom comes with obligations – such as guarding the knowledge you acquire through your work – and the other is that while the world of cyberspace is good fun for most of us, it’s not all cosy and benign. It can often be highly destructive. The byways of cyberspace are devoid of traffic lights, zebra crossings, patrol cars and road rules. Cyber sharks with razor-sharp teeth and sometimes hunting in packs lurk where you least suspect them, and only those observers highly skilled in detecting malicious intent can forestall an attack.

An illustration of this came in the US in October when the FBI thwarted an international terror plot, codenamed the Mickey Mouse Project, to kill the cultural editor of the Danish newspaper that had published the cartoons of the Prophet Mohammed back in 2005. Court papers show that the Chicago-based plot, supported by a Pakistani terror group, was hatched last year by a US citizen, David Headley, 29, who had changed his name a few years ago from Daood Gilani. He had posted a message about the cartoons with an Internet discussion group, stating that, “I feel disposed toward violence for the offending parties.” The FBI and other related authorities picked this up quickly and acted.

For a would-be terrorist like Headley to boast of his disposition in this way was naïve, as was the Sawers family Facebook page. The fact is that most terrorists and cyber criminals don’t make such mistakes. They’re usually deadly accurate in what they do, which is why governments around the world devote enormous amounts of money, manpower and technology to staying ahead in this fast-moving game. The intelligence apparatus of democratic nations is therefore increasingly focused – collaboratively – on thwarting those who seek to exploit the vulnerabilities of cyberspace. The irony is that the governments of other states use that same intelligence prowess for their own political, economic and technological gain, often in a disruptive and destructive manner.

The United States, because of its size and global interests, tracks developments in this field very closely. An October 2009 report2 in the US made the following observation, which sums up the situation for many of us:

Foreign intelligence services have discovered that unclassified US government and private sector information, once unreachable or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, and stolen with comparative ease using computer network operations tools. The return on present investment for targeting sensitive US information in this way (the intelligence gain) can be extraordinarily high while the barriers to entry (the skills and technologies required to implement an operation) are comparatively low. Many countries are in the process of developing capabilities to either respond defensively to this threat or build their own offensive network operations programs, however, China is most frequently cited as the primary actor behind much of the activity noted in media reporting, and US officials are increasingly willing to publicly acknowledge that China’s network exploitation and intelligence collection activities are one of this country’s most consuming counterintelligence challenges.

Wherever a Chinese footprint appears, a Russian one usually isn’t far behind. In a much more limited way, North Korea is sometimes accused of cyber attacks, as it was recently on the United States, Japan and South Korea.

The abovementioned report comes to important conclusions that resonate well beyond America’s shores. It finds that a review of the scale, focus and complexity of the overall campaign directed against the US and, increasingly, a host of other countries around the world strongly suggests that these operations are state-sponsored or supported. Moreover, such operations are succeeding in part because current industry and government information security paradigms are largely based on reactive controls such as traditional signature-based anti-virus vendor models, common host and network defensive measures that are often inadequate against advanced attackers. Attackers exploit this reactive defence model and have the resources necessary to develop and exploit previously unknown vulnerabilities that are often missed by signature-based IDS/IPS and endpoint protection software.

Crucially, the report concludes that the overall effort involved in such attacks likely consists of multiple groups and skilled individuals operating against different targets given the high operational tempo and diversity of targeting observed to date. Analysis of forensic data associated with penetrations attributed to sophisticated state-sponsored operators suggests that in some operations multiple individuals are possibly involved, responsible for specific tasks such as gaining and establishing network access, surveying portions of the targeted network to identify information of value, and organising data exfiltration. These attackers have also demonstrated a high degree of awareness of a targeted organization’s information security measures according to forensic analysis of attacker activity, and appear able to alter their operations to avoid detection, reflecting the meticulous reconnaissance that they – or others on their behalf – conduct.

This activity can lead to unprecedented warnings from government, such as that from Jonathon Evans, the director-general of MI5 – Britain’s domestic security agency – in 2007, alerting 300 British businesses to the fact that they were under cyber attack.

The Washington Times highlighted in an article early this year, “The Silent Cyberwar”, how such attacks are carried out on a massive scale the world over.3 Even ostensibly friendly nations, it claimed, zap each other’s electronic nerve cells frequently, and with reckless abandon. On a single day in 2008, would-be intruders hit the Pentagon 6 million times in a 24-hour period. Before September 11 2001, the highest annual figure for cyber attacks against that establishment was 250,000. But the US is keeping well ahead of potential adversaries in cyberspace. Last year, an American military computer reached the astronomical processing power of more than 1 quadrillion calculations per second. That’s 1,000 trillion. If 6 billion people used calculators 24 hours a day, seven days a week, it would take them 46 years to do what that computer, known as Roadrunner, does in a day. And that’s before you consider the massive electronic eavesdropping and analytical capacity of the National Security Agency – a much larger organization than the CIA.

Add to that the combined electronic and intelligence analysis capacity of countries like Britain, France, Germany, Japan, Canada and Australia and you have some idea of the energy being focused on cyber threats.

The big mistake that many of us make in all this is to assume that because what our humble company or organization is involved in isn’t so “sexy”, we won’t be targeted – whether by large-scale or small fry attackers. The prize for the latter may be a mere missing link in a chain, a link that we regard as inconsequential. Then again, they may aim to steal a company’s entire manufacturing process, all of its data and its R & D results as well. The nub is that any or all of this can be accessed from numerous vantage points in today’s ever-expanding electronic world. A missing link or the crux of a firm’s negotiating position are just as likely to be gleaned from indiscreet banter on a social networking site or via email as they are from hacking into the organization’s computer system.

In essence, governments are now deeply involved in fighting the cyber threat, whether it’s from a powerful state-sponsored attack, cyber-criminals seeking credit card numbers and bank account details, or from someone engaging in industrial espionage. The sophisticated systems and technology emerging from this process would do James Bond proud, though you’re unlikely to see them featured in a movie any time soon.

It is a complex, churning, dog-eat-dog world. Here then, are a few tips you might find useful in your quest to safeguard your organization’s operations:

1. Examine Your Internal Security.

From a protective point of view, one of the most prominent features of today’s “electronic community” is the lack of security consciousness among users. It is a world in which friends, not editors, shape Internet habits. Many users are blissfully unaware of the dangers involved, despite a wealth of publicity, and believe that somewhere mechanisms are in place to shield them from cyber threats. The reality is that the traditional watchdogs and gatekeepers have been taken away. As an Australian security journal put it recently, “Participants in digital communities need to look after themselves and each other … in time, most people will come to realise that self-management plays a key role in Web 2.0 security. Until then, many need encouragement and protection.”4

The onus is on management to ensure that staff are briefed and regularly updated on the threats involved, not just within the broader community but also specifically in terms of your business or organization.

2. Hire the Right Cyber Expertise.

Make sure you call in a professional team of experts with a proven track record, both domestically and overseas. They’ll be able to carry out a forensic audit of your organization, of your computer system and of your electronic exposure as a whole. They can highlight your vulnerabilities and detect penetration that may already have occurred. They can also brief your staff, and in more explicit terms, your senior management team.

Of equal importance is the fact that the best professional experts are generally in contact with your country’s intelligence apparatus, sometimes advising and working alongside them. They can brief you on the sort of assistance your government offers to private organizations being targeted, or likely to be.

3. Review Your Method of Employing Staff.

Make sure that the employment agency and executive recruitment firm you’re using are on top of this game. Don’t just accept their assurance that they are. Check out for yourself how they go about it.

4. Disseminate Information.

Start circulating information inside your organization on the threats involved. Useful articles appear in newspapers and journals regularly, some specifically relating to your industry. Don’t assume that your staff will hear about the most relevant cases on the TV news and digest their significance. Bring in an occasional outside presenter to keep the subject fresh in the minds of your staff. A Japanese corporation recently brought in a speaker to address the question of how technological innovation in modern history has, per se, basically not provided competitive advantage. Rather, it’s the clever and resourceful harnessing of technology that does the trick. Reference to vulnerabilities and the role of human foibles was included in this talk as a bi-line.

5. Acknowledge Changing Realities.

If your business operates in one or more multi-cultural societies – like the US, Canada, Australia, France and The Netherlands – you will need to make your staff aware of the fact that a threat might come from within. This is obviously a delicate matter, as is the issue of privacy, and must be handled with care. Questions of age and demographics arise as well. As The Financial Times noted in September, “Unlike previous generations of Web users, today’s digital natives don’t just go to the Web to find information. They go to be entertained and to network with their peers.”5 A recent survey by Nielson Online in Australia showed that that country’s Facebook habit soaks up around a quarter of all time spent on the Internet. Older managers are often flummoxed by the short attention spans that many young people have.

These sorts of things have to be taken into account when you consider your organization’s security. Don’t hesitate to call in experts who can articulate them properly.

1 Brad Stone, “On the Web, sharing is about turning a profit”, The New York Times, Global Edition, September 28, 2009.
2 “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation”, prepared for The US-China Economic and Security Review Commission, October 2009.
3 Arnaud de Borchgrave, “The silent cyberwar”, Washington Times, February 19, 2009.
4 Bruce Arnold, “Security Two Point Oh? Security, Sharing and Web 2.0 – Who is Watching You?”, Security Solutions, No. 62, November/December 2009.
5 Jessica Twentyman, “Technology shows what’s on a customer’s mind”, The Financial Times, September 17, 2009.

Shocks like this come out of a clear blue sky. As McKinsey’s worldwide managing director, Dominic Barton, has said, “This issue is completely virgin territory for us. We have very clear policies that you do not invest in clients or situations even where it is legal.”

There are, however, protective measures that firms can take. Experienced professional teams of experts exist that can apply sophisticated investigatory methods and state-of-the-art technology to warn top management of possible fraud. Tell-tale signs are often buried in patterns of contact and in other areas where no one else would think to look. Expert financial analysis, coupled with computer forensic work, for example, can usually provide you with a running image of what’s actually going on inside your company, much as infra-red night-vision goggles allow you to “see in the dark”. Without any support of this nature, you’re basically flying blind. Far better to be pro-active and not sorry.

As the Times points out, news of Kumar’s arrest stunned both McKinsey and the broader management consulting industry, which is valued above all in executive suites throughout the world for discreet counsel on matters often central to corporate strategy. Unlike law firms, top consulting companies have not previously been hit by investment trading scandals.

Ironically, the arrest of Kumar – who is widely respected in the Indian-American business world and beyond – comes hot on the tail of the Galleon case, which is seen as a significant win for the US Attorney for the southern district of New York. The latter has long been the Justice Department’s senior officer on the white-collar crime beat. But during the financial crisis, questions were asked about whether the office was living up to its responsibilities. Galleon represents something of a comeback to such critics. The charges filed last week against Rajaratnam and five others amount to the biggest insider-trading case involving a hedge fund. And, of course, another win still fresh in everyone’s memory is the Bernard Madoff case.

Preet Bharara, who took over as chief of the Attorney’s office ten weeks ago, says the Galleon case should be a “wake-up call to Wall Street”. He could well have said “to the global financial and corporate world as a whole”. The use of court-authorised wire taps in the Galleon case underscores the escalation of law enforcement efforts against financial crime in the United States. Wire taps are traditionally used to investigate mobs and drug gangs.

But wherever your firm is operating, don’t wait until a deviant staff member pushes you out into the limelight. Thinking you know all you need to know about your company can be dangerous. A professional team can tip you off to something that’s even worse: what you don’t know you don’t know but urgently need to.

Police in Australia have recently warned retailers to be vigilant in maintaining their EFTPOS security systems. A top fraud squad officer in Western Australia has explained that the McDonald’s scam occurred when legitimate EFTPOS PIN pads were replaced by fake ones that transmitted PINs to the criminals. “It doesn’t take much time to switch these pads over,” he said. “Perhaps 15 to 20 seconds. It’s plug in and play.”

The most likely scenario in the scam is that McDonald’s staff were distracted while serving customers, with the bogus devices probably substituted at that time. A police taskforce has been established to specifically target the McDonald’s crime and it has warned retailers across the nation, especially in the largest state of New South Wales, to learn from the Perth experience and keep their terminals under constant and close scrutiny. No arrests have so far been made.

McDonald’s in Australia has said that it will be implementing a number of measures across the country to protect its security systems, but understandably declined to provide any detail. It is believed, however, that the measures will include new technologies that prevent the removal of, or tampering with EFTPOS PIN pads, as well as giving the machines a highly visual presence in each of the chain’s stores.

Spokesmen for the country’s two largest retailers, Woolworths and Coles, have both stated that the firms had no need to change their security protocols on EFTPOS terminals because their machines contained more advanced technology.

The question is, are you technologically up to date in the operation you’re running?

If you have any doubts, call in a team of experts now. They’ll not only advise you on the sort of state-of-the-art equipment you need to install but also put in place or upgrade your overall security system to fit in with it. The last thing you want is thousands of customers angry because their cards have been compromised.

The FBI has revealed that this is the largest number of defendants ever charged in a cybercrime case, and that they had stolen at least $US2 million from 2007 until last month. The scams victimised people with accounts at Bank of America and Wells Fargo, two of the largest banks in the United States. The online component of the fraud was perpetrated in Egypt, with the defendants there sending mass email messages that appeared to be authentic communications from the banks. The people who clicked on these messages were sent to fake websites made to look identical to the real banking sites. There they were asked to enter personal information like their bank account numbers, passwords, social security numbers and drivers’ license numbers.

The co-conspirators in the US took over from there, transferring funds into their own accounts and remitting some money back to their accomplices in Egypt. The FBI has said that it was a very well organised crime and that everyone involved got paid. Now the 53 named in the indictment might also get 20 years in prison.

The investigation began in early 2007, when the banks alerted the FBI to the fraud. While Bank of America would not comment on the specifics of the case, it nevertheless stated that it “monitors for fraudulent sites and works to shut them down as quickly as possible.”

If you are worried that your company might be susceptible to this increasingly common threat, it would be advisable to call in a professional team skilled in the art of computer forensics. That’s not only the best way to safeguard your operations, but it will also serve to alert your employees to where danger lurks.

Once again, the FBI operation has highlighted the pernicious nature of phishing. At the beginning of October, more than 10,000 addresses and passwords for customer accounts on Hotmail, one of Microsoft’s Web-based email services, appeared online, apparently after being stolen via phishing. In what appeared to be a separate incident, a list of more than 20,000 addresses and passwords for accounts on Hotmail, Gmail, Yahoo and AOL were posted to a website. The Internet companies said they were working with affected customers to help them recover their accounts.

Chet Wisniewski, senior security adviser at Sophos, a web security firm, doubted the arrests would have an effect on the number of online banking scams. “I would imagine there are many different groups doing similar things,” he says. “You squash one bug and another one emerges. If there’s an opportunity to make money, someone will be there to collect the bill.”

Don’t delay in ensuring that your company operations are secure.

The Saab case comes at a time when South Korea plans to create a new strike force of up to 100 fighter aircraft by 2020, so competition with other manufacturers like Boeing and Lockheed Martin is intense. While the new aircraft, known as the KF-X, will be produced by South Korea and is being touted as “home-grown”, it will require foreign involvement in its development and production.

Pivotal to this case is a private South Korean defence think tank, the Security Management Institute, which plays an advisory role to the country’s National Assembly. Seoul authorities claim that they became aware earlier this year that classified information on the KF-X program had been leaked to the Swedish firm, after which they raided both Saab’s office and that of the Institute. Documents and computer files were seized in a bid to uncover the alleged connection. Bank accounts of Saab employees and officials at the Institute were also traced. Saab has acknowledged that it did make a payment to the Institute to sponsor a seminar last March, but that this simply related to a Swedish trade fair attended by its chief executive.

South Korean authorities, however, claim that the amounts of money allegedly involved far exceeded the one-off payment that Saab has admitted to. They say that it was security operatives within the defence system who first picked up details of the amounts changing hands. Six people are supposedly implicated in the leaking of the secret information and four witnesses are apparently available to testify. The authorities have not yet released the name of the US company involved. Saab has been accused of offering large sums to the president of the Institute, who is a former head of the state-funded Korea Institute for Defence Analyses.

A South Korean defence expert has commented that the probe into Saab appears to be only the start of a much wider investigation into illegal lobbying activities by foreign firms and their agencies. If you want to ensure that your company doesn’t find itself caught up in a complex and damaging scenario like this, call in the computer forensics professionals sooner rather than later and put your mind at rest. It will be money well spent.

Vincent Lacroix was the CEO of the now-bankrupt Norbourg Group which swindled thousands of Quebecers out of their personal investments in one of the most high-profile white collar crime cases in Canadian history was sentenced to 13 years in prison yesterday. He was charged with the fraud after more than CAN$100 million [US$97 million] was illicitly removed from his investment firm, most of it money contributed by over 9,000 personal investors.

Prior to his September 2009 guilty plea, Lacroix was on parole having served part of an earlier 12 year sentence for other facets of the fraud. Lacroix had been successfully convicted during a civil suit on 51 Quebec Securities Act violations brought by Autorite des marches financiers and financed by dues from Quebec’s investment representatives.

A criminal trial will proceed featuring five other managers and employees of the Norbourg Group which authorities allege assisted Lacroix with the fraud and disappearance of the investment funds. The trial has a keen political element as oneof the defendants, Jean Renaud aged 40, was formerly a high-level bureaucrat in Quebec’s Finance Department before he was arrested in relation to this case.

Little of the funds have been recovered and a shroud of mystery surrounds what Lacroix and the others did with them. Though some investors were compensated by the regulatory authorities, many others are now destitute.

Questions still remain unanswered as to how the funds were disappeared and remain unaccounted. Some investors expressed dissatisfaction that Lacroix has still not publicly accounted for his actions and explain what went on even though he has received such a severe sentence. Many investors look set to launch a class action in an effort to recover their defrauded investments.

In a demonstration of the criminal willfulness of Lacroix’s actions, Quebec Superior Court Judge Wagner included in his written judgment “The evidence shows that Vincent Lacroix’s acts… shook the structure of financial markets while causing serious moral damages to the victims of this scandal – one without precedent in the annals of Canadian law”.

To help clean up the country’s act, the Japanese Bankers Association recently decided to instruct its 187 member banks not to allow gang members to open accounts, in an attempt to counter crime syndicates’ money laundering activities. As reported by The Yomiuri Shimbun, the decision was made by the JBA’s board of directors to oblige its members to establish in-house rules to exclude crime syndicates from their services. The Association had already announced in November last year a policy of banning the syndicates from financial transactions, including loans. This latest prohibition covers members and associate members of crime syndicates, companies that have close connections with crime syndicates and corporate racketeers. Banks will refuse to let them open ordinary savings accounts and current accounts, and will not provide safe-deposit boxes. Accounts already set up by gang members will be cancelled once banks determine their identity.

People and organizations involved in illicit activities such as intimidation will also be excluded from bank services, even if they are not clearly linked to crime. To ensure a consistent policy across the banking sector, the JBA has said it will examine the creation of a database of people linked to the syndicates. At present, banks only compile such information on an individual basis.

The reality is that as cases of gang members using their accounts for money laundering are regularly exposed by the police and other authorities it is obvious that the incidence of this abuse is not declining. Something has to be done. In early 2008, the prefectural police in Kanagawa, to the south of Tokyo, exposed a scheme involving a credit guarantee system, in which a prominent gangster had some of his ill-gotten gains transferred to his bank account. Why this shocked the nation was because a credit guarantee system is a program through which public institutions act as guarantor for small and medium-sized enterprises, therefore helping them to raise capital. This has prompted the JBA to resolve to unite the entire banking industry in banning crime syndicates from accessing its services.

In financial circles, the Japan Securities Dealers Association decided in 2007 to refuse to handle transactions involving crime syndicates. In March this year it set up a joint mechanism to enable its members to request information on such people and is now establishing its own database.

These are all moves in the right direction but if you’re taking your company into Japan it would be most unwise to rely solely upon them. An experienced computer forensics and investigation team will be able to lay bare for you dimensions that the new system may not uncover. After all, if the will to make it work now is as strong as claimed it would surely have been set up and made to work effectively decades ago.

In a paper for the Virus Bulletin Conference September 2009, Dmitry Samosseiko outlines how scareware, ‘Canadian Pharmacy’ spam, adult sites, and comment spam on forums and blogs have plagued the web and email world of most people in the past few years. But what, he asks, links these things together? What makes them grow in volume and complexity? Who is behind them? What business model drives the perpetrators’ profits to millions of dollars annually?

The answer is hundreds of well-organised Russian affiliate networks known as “partnerka”, which have coalesced to form a booming business industry. Thousands of affiliates, each calling themselves ‘webmasters’, work day and night to drive as much user traffic to their partners’ stores as possible, raking in thousands of dollars in the process.

Samosseiko says the first serious book about spam and spammers that he read was Spam Kings by Brian S. McWilliams in 2004. In this, the ‘pioneers’ of the email spam industry ran their businesses in a small family way. Relying on nothing more than help from their relatives, they handled the entire process chain themselves: harvesting email addresses, authoring message content, sending bulk emails, processing orders, rapidly switching their Internet service providers and, at a later stage, running from the FBI or being jailed. Since then, many countries have established anti-spam laws governing the use of email communications and marketing. While legislation was not expected to eliminate spam and make spammers extinct, it did criminalize their activities, making them a punishable offence and as a result a much riskier endeavour to engage in.

So, the second generation of spammers had to become a more organized and secretive group, forming professional spam outfits or collaborating online, where ‘bot herders’ could find their ‘sponsors’. The peak of their evolution, however, was the adoption of affiliate marketing methods in order to distribute responsibility for different spam tasks and to expand the army of ‘advertisers’.

The affiliate marketing models work well for products with large profit margins. Generic drugs produced without a licence, pornography, pirated software, casinos, dating services top the list. These are the sorts of topics we commonly see in email and web spam, Samosseiko says, but few people are aware that each theme is backed by numerous affiliate organizations with thousands of advertisers. Another fact, known to security industry researchers, is that the majority of the most powerful and controversial affiliate networks are based in Russia. These refer people to the networks’ products by setting up scores of bogus web pages and commanding botnet armies of infected computers to send spam. They use black hat search engine optimisation (SEO) techniques – and even monitor search term trends – to ensure that their pages appear towards the top of search results.

Software tools such as John22, A-Poster, Xrunner, DarkMail and ZennoPoster automate much of this process, including generating seemingly legitimate websites based on content from Wikipedia articles. The affiliates are paid a commission for every product they sell or for every computer they infect with malware, depending on the scheme they’re involved in. Samosseiko points out that just as Web 2.0 is about user-generated content, today’s web and email spam (Spam 2.0?) is generated by a massive number of affiliates who direct traffic to a partner site to get their share of the revenue.

One of the oldest and largest affiliate networks is know as GlavMed, which sells bogus pharmaceuticals under brand names like ‘Canadian Pharmacy’. Although GlavMed claims to have a strong anti-spam policy, searching its support phone number reveals over 120,000 online pharmacy sites selling generic drugs. It advertises a 40% commission fee on each sale. Assuming the cost of an average purchase is around $US200, even a couple of purchases a day become a good source of income. During Samosseiko’s research, he came across a log file of purchases made on ‘Canadian Pharmacy’ websites advertised in email spam. This data revealed over 200 drug purchases per day per spam campaign, which can lead to $US16,000 in payments. Of course, GlavMed is a mere drop in the ocean of the bogus pharma business.

Scareware, which is malware that convinces users that their computer is infected with thousands of viruses, before offering to sell them fake anti-virus software to fix the so-called infections, is the most prevalent of today’s Internet threats. One scareware vendor, Topsale2.ru, says on its website that it only accepts traffic from Canada, Australia and the US and pays up to $US25 commission for each fake anti-virus software sale. It claims the average member can make a commission of almost $US5,000 in the space of only eleven days.

Samosseiko explains how a successful webmaster can make over $US180,000 per year on this network alone from traffic averaging 10,000 visits per day. “Assuming that most webmasters direct their traffic to more than one sponsor at a time,” he says, “it is no surprise that affiliate marketing and black SEO are extremely appealing career paths for a computer savvy person in Eastern Europe.”

Samosseiko believes that affiliate web marketing has also been the main driving force behind the recent explosion in malware, website infections, email spam and general web pollution.

One of the boom businesses on the internet has been online recruitment whereby job seekers have an easy way to review various positions vacant in their area which suit their qualifications and experience. Along with the established pay to advertise sites displaying adverts on behalf of recruitment agencies and businesses, there are now a number of free to advertise sites; these sites often focus on part time or work from home positions.

Unfortunately, many job seekers in their desperation to grab the opportunity of making some money; have fallen foul of fake adverts for nonexistent jobs. The advertisers often use a rolling index of generic business name such as Alpha Recruitment Inc and obscure their office location and contact details – choosing to communicate via email only.

One of the favourite types of scams is to offer a supposed work from home position which involves the applicant utilizing their own bank account to receive fake cheques, transfers or deposits from other unwitting victims.

One twist is where the fake employer offers to help get the job applicant started by depositing cheques into the job applicant’s bank account. The job applicant is then instructed to pay over most of those funds to other parties via wire transfers. Unfortunately, the cheques are either fraudulent or already cashed whilst the recipients of the transfers are part of the criminal sting. This leaves the victim not only out of pocket to the tune of thousands of dollars but also liable for criminal prosecution for money laundering, however naïve and innocent the victim.

Another scam is to have the victim complete a fake online application form which includes all their personal information such as full name, date of birth, current & past addresses, SSN or driving licence numbers. The position is nonexistent and the scam is to glean as much personable information as possible to effect the theft of their identity and start taking out false loans, mortgages over their property, credit cards etc.

One slightly more innocuous scam is to charge a small fee [usually less than $100] for assistance with finding that lucrative and sought after position. The assistance mainly consists of little more than obvious advice, contact numbers, government website addresses etc. Any person wanting a refund will find it nigh on impossible to track the entity behind the website and any effort is way beyond the $100 spent.

Some fake recruiters have been known to falsely claim to represent international companies for positions overseas. These fake recruiters then charge `processing fees’ and even go so far as to arrange bogus interview boards and medical examinations. The job seeker only learns that they have been scammed when the promised job fails to materialize and the HR Department of the intended employer has never heard of the agency. By this time, the recruiter has closed down, changed names and moved offices.

Probably the most dangerous schemes are those that trick job seekers into scams known as reshippers or money mules. These scams are often operated by international criminal syndicates with links to drug trafficking and money laundering. Far more sophisticated than the all too familiar Nigerian e-mail messages, money mules are recruited by supposed international businesses looking for “receiving payment agents” who will accept payments into their bank account from “customers” (often identity fraud victims) and transfer the money to their “employer” (overseas criminals). Some duped agents are told to keep ten percent, but many are promised payment by direct deposit, which, of course, never comes.

Reshipper scams begin with bogus international shipping companies looking for “logistics managers” to receive packages of valuable items such as laptops, iPods and cameras, bought with stolen credit cards, and forward them to an address in a foreign country. The agent is meant to receive payments for their efforts, but rarely do so, and often is raided by the Police investigating the criminal activity.

Tips to protect you from the scammers

BE SUSPICIOUS. Query any unsolicited email offering a position or else any email using poor grammar and spelling which comes from an email addresses that don’t match the name of the company. Real recruitment companies use polished language, emphasize a position’s duties and use corporate e-mail addresses, not Hotmail or Gmail accounts.

KEEP YOUR INFORMATION PRIVATE. Restrict the personal information you give out online. Avoid including any information you wouldn’t want everyone knowing, which is exactly what you’re doing. Avoid providing your address, a key part of information for those organizing identity fraud; genuine employers are happy with a general geographic location. Unless you’re signing an employment agreement, keep your Identity Card or passport number to yourself.

KEEP TO WHAT YOU KNOW. If you are in a particular sector or profession, stick with that and avoid companies offering high salaries for something you’re not familiar with. Stick with industry-specific employment boards or professional groups which are less likely to be targeted by scammers.

DO SOME RESEARCH. Research the company. Do they have a commercial Web site with lots of content, a list of manager’s names and a phone number where you can reach a human being? How long has the website been running – does it have links to genuine sites?

Some simple internet searches can spot trouble. You can also check a companies’ reputation with government agencies plus look for complaints on Web sites like Complaintsboard.com and PhishBucket.org.

KEEP IT SIMPLE. Look for positions locally via the newspaper, want ads, associations, friends or relatives or the local job centre. If the position sought is temporary or not career changing, keep it simple.

GET TO KNOW THE COMPANY. Seek to identify any employees, suppliers or customers of the company who can vouch for the company. Take the view that if you can’t meet them face to face or call them direct on a local phone number then it’s best not to be engaged with them.