Text 1

A lot of perfectly respectable small businesses are raking in money from Internet fraud. From identity theft to bogus stock sales to counterfeit prescription drugs, crime is widespread on the Web. But what has become the Wild West for cybercriminals has also developed into major business opportunity for cybersleuths.

One of the most well-known is Kroll Ontrack, a technology services provider that Kroll, an international security company based in New York, set up in 1985. Others include ICG Inc. in Princeton, NJ, Decision Strategies in Falls Church, VA, and Cyveillance in Arlington, VA, all started in 1997. “As more and more crime is committed on the Internet, there will be growth of these services, “said Rich Mogull, research director of information security and risk at Gartner Inc., a technology-market research firm in Stanford, CT.

ICG, for example, has grown to thirty-five employees and projected revenues of $7 million this year from eight employees and $1.5 million four years ago, said Michael Allison, its founder and chief executive. ICG, which is a licensed private investigator, uses both technology and more traditional cat-and-mouse tactics to track down online troublemakers for major corporations around the world. These include spammers and disgruntled former employees as well as scam artists. “It’s exciting getting into the hunt,” Mr. Allison, a forty-five-year old British expatriate, said. “You never know what you’re going to find. And when you identify and finally catch someone, it’s a real rush.

Mi2g, a computer security firm, said online identity theft cost businesses and consumers more than $5 billion last year worldwide, while spamming drained $3.5 billion dollars from corporate coffers. Those numbers are climbing, experts say. “The Internet was never designed to be secure, “said Alan E. Brill, senior managing director at Kroll Ontrack. “There are no guarantees.”

Kroll has seven crime laboratories around the world and is opening two more in the United States. “It’s common to think that we ’ re all former hackers,” Mr. Allison said about the industry, and his company in particular. “But it’s not true. The people who work here wear ties. Shaving is compulsory. We have former marines, FBI agents, and graduate students. We’re a real white-shoe sort of operation.” ICG’s clients, many of whom he will not identify because of privacy agreements, include pharmaceutical companies, lawyers, financial institutions, Internet service providers, digital entertainment groups, and telecommunications giants.

One of the few cases that ICG can talk about is a spamming problem that happened at Ericsson, the Swedish telecommunications company, a few years ago. Hundreds of thousands of e-mail messages promoting a telephone sex service inundated its servers hourly, crippling the system, according to the company. “They kept trying to filter it out,” said Jeffery Bedser, chief operating officer of ICG “But the spam kept on morphing and getting around filters.”

While no solution is exactly the same for online detective cases, a general search for a spammer typically involves thousands of webpages, Usenet groups, and message boards. Sometimes, all the searching comes up empty. There is no hard-and-fast guarantee to identify everyone, Mr. Allison said. “There were cases that I'd hoped we get a result for and just didn’t.”

It is especially difficult these days, he says, because of cloaking software, such as Anonymizer, that is used to hide the movements of a Web user, as well as the “hijacking” of third-party computers that are then used to carry out illicit activity without the owners of the computers knowing what is happening. In the Ericsson case, Mr. Bedser and his team plugged the spam message into search engines and located other places on the Web where it appeared; some e-mail addresses turned up, which led to a defunct e-fax website; that website had in its registry the name of the spammer, who turned out to be a middle-aged man living in the Georgetown section of Washington.

Several weeks later, the man was sued. He ultimately agreed to a $100,000 civil settlement, though he didn’t go away, Mr. Bedser said. “The guy sent me an e-mail that said, “I know who you are and where you are,” he recalled. “He also signed me up for all kinds of spam and I ended up getting flooded with e-mail for sex and drugs for the next year.”

Over the years, Mr. Allison estimates that ICG has tracked down more than 300 spammers, 75 of which its clients brought to civil court, and 12 of which went to criminal referrals. Mr. Allison says ICG’s detective work is, for the most part, unglamorous—sitting in front of computers and “looking for ones and zeros.” Still, there are some private-eye moments. Computer forensic work takes investigators to corporate offices all over America, sometimes in the dead of night. Searching through suspect hard drives—always with a company lawyer or executive present— they hunt for “vampire data,” or old e-mails and documents that the computer users thought they had deleted long ago.

In some cases, investigators have to use subterfuge. Once, an ICG staff member befriended a suspect in a “pump-and-dump” scheme—in which swindlers heavily promote a little-known stock to get the price up, then sell their holdings at artificially high prices—by chatting with him electronically on a chess website. Investigators often adopt pseudonyms when they interact on a message board. “We like to masquerade as women,” Mr. Allison said. “Typically, we’ll use names like Pat, Terry, or Casey so it’s ambiguous.”

It is when investigators start coaxing identities and backgrounds out of people under false pretenses that privacy experts start to worry. “There’s a lot of work that involves what is kindly called social engineering and what could just as easily be called fraud,” said Steward A. Baker, head of the technology department at the law firm Steptoe & Johnson. “You have to have evidence that holds up to scrutiny in court.” There are areas that ICG and other leading sleuthing companies will not touch, such as celebrities, politics, sex, and matrimonial issues. “It’s dirt digging,” said Mr. Allison.

Before Mr. Allison opened ICG, he worked as a public information officer for the British government and also spent time running background checks for Wall Street firms. In 1991, he started International Business Research, which grew into ICG six years later. The Internet boom almost guarantees an unending supply of cybercriminals. “They’ve like mushrooms,” Mr. Allison said.

Right now, the most crowded fields of criminal activity are the digital theft of music and movies, illegal prescription-drug sales, and “phishers,” identity thieves who pose as financial institutions like Citibank or Chase and send out fake e-mail messages to people asking for personal account information. The Anti-Phishing Working Group, an industry association, estimates that five to twenty percent of the recipients respond to these messages.

In 2003, 215,000 cases of identity theft were reported to the Federal Trade Commission, an increase of thirty-three percent from the year before. Bad news for consumers, a growth opportunity for ICG. “The bad guys will always be out there,” Mr. Allison said. “But we’ve getting better and better. And we’re catching up quickly.”

Internet fraud has created good business opportunities for cyber detectives.

Online troublemakers may include people who are unhappy ex-employees of a company.

Spamming is annoying to a company, and is causing greater financial losses nowadays.

Ericsson, the Swedish telecommunications company, used to be troubled by an online telephone scandal.

As long as Internet security companies search hard enough, they always end up successfully finding a spammer.

Searching for a spammer can be difficult partly due to the existence of software that hides the spammer’s identity.

The spammer found by Mr. Bedser and his team felt guilty for what he had done.