Computer fraud case studies

Background

The purpose of this page is to explore case studies in using Information Technology to commit fraud. Computer fraud is the act of using a computer to commit fraud (A deception deliberately practiced in order to secure unfair or unlawful gain.). Computer fraud is a criminal offense punishable by jail time and fines under the Computer Fraud and Abuse Act.

Case Studies

Case 1: Unauthorized Access at North Bay

Jessica Quitugua Sabatia, a former accounts payable clerk for North Bay Health Care Group, admitted to using her computer to access North Bay’s accounting software without authorization, and in turn issued approximately 127 checks payable to herself and others. Several of the checks were cashed by Sabatia or deposited into her personal bank account, and some were deposited into the bank accounts of others. She attempted to conceal the fraud by altering the electronic check registers of North Bay to make it appear as if the checks had been payable to the company’s vendors. The fraudulent scheme resulted in losses to North Bay of at least $875,035.

On May 27, 2004, Sabatia, plead guilty to two counts of computer fraud, and faces a maximum sentence of five years in prison and a $250,000 fine.

Case 2: Denial of Service Attack

Scott Dennis, a former computer system administrator for the U.S. District Court of Alaska, initiated three denial of service attacks on Judsys, a private mail list server that is owned and operated by the U.S District Court for the Eastern District of New York. Dennis was able to shut the system down by flooding it with numerous emails, which resulted in the computer maintaining Judsys needing to be shut down and taken out of operations, reconfigured, and brought back on line again. Investigators were able to identify Dennis as the perpetrator by tracing the Internet Protocol addresses back to his personal computer.

On January 19, 2001, Dennis was sentenced to six months incarceration; three months in jail and three months of home confinement, followed by one year of supervised release. Additionally, he must allow authorities to monitor his computer activity, and perform 240 hours of community service.

Case 3: Malicious Systems Admin at UBS

A disgruntled computer systems administrator for [http://www.ubs.com/ UBS PaineWebber] was charged with using a "logic bomb" to cause more than $3 million in damage to the company's computer network, and with securities fraud for his failed plan to drive down the company's stock with activation of the logic bomb. Roger Duronio is charged in one count of securities fraud which carries a maximum penalty of 10 years in federal prison and a $1 million fine and one charge of computer fraud which carries a maximum prison sentence of 10 years and a fine of $250,000 or, alternatively, two times the gain made by the defendant or the loss suffered by the victim.

Duronio, who worked at PaineWebber's offices in Weehawken, N.J., planted the logic bomb in some 1,000 of PaineWebber's approximately 1,500 networked computers in branch offices around the country. The logic bomb, which was activated after Durino resigned, deleted files on over 1,000 of UBS PaineWebber's computers. It cost PaineWebber more than $3 million to assess and repair the damage. Duronio also purchased more than $21,000 of "put option" contracts for UBS PaineWebber's parent company, UBS, A.G.'s stock, hoping the that the stock would decline in response to the damage caused by the logic bomb. The bomb attack did not have any impact on the price of the stock.

The investigation of Duronio was conducted by the U.S. Secret Service’s Electronic Crimes Task Force with help from UBS PaineWebber.

[http://www.informationweek.com/story/IWK20021220S0020 Robert Duronio]

Case 4: Illegal Data Mining

The owner of Snipermail, a business that distributes advertisements via the Internet to e-mail addresses on behalf of advertisers or their brokers was indicted for conspiracy, unauthorized access of a protected computer, access device fraud, money laundering and obstruction of justice.

It was alleged that Scott Levine and other Snipermail employees illegally accessed a computer database owned and operated by Acxiom Corporation, a company that stores, processes, and manages personal, financial, and corporate data on behalf of its clients. On numerous occasions, Levine and others illegally entered into an Acxiom file transfer protocol (ftp) server and downloaded significant amounts of data. The intrusions were traced back to an internet protocol address that belonged to one of Snipermail’s computers. The downloading of the databases lasted for period of a year and a half and represented 8.2 gigabytes of data. While the stolen data contained personal information about a great number of individuals and could have resulted in tremendous loss if the information were used in a fraudulent way, there was no evidence to date that any of the data was misused in this way. Acxiom, immediately notified law enforcement upon discovery of intrusions into its system and assisted with the investigation which was conducted by a task force formed the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS).

[http://www.washingtonpost.com/wp-dyn/articles/A4364-2004Jul21.html Scott Levine]

Case 5: The Melissa Worm

David L. Smith, a 31-year old New Jersey programmer was accused of unleashing the “Melissa” computer virus, a Visual Basic for Application based worm. This virus was propagated by deliberately posting an infected document to an alt.sex usenet newsgroup from a stolen AOL account. It is believed that Smith named the virus after a stripper he had known in Florida. He constructed the virus to evade anti-virus software and to infect computers using Microsoft Windows and Word programs. The Melissa virus appeared on thousands of email systems on March 26, 1999, disguised as an important message from a colleague or friend. The virus was designed to send an infected email to the first 50 email addresses on the users’ Microsoft Outlook address book. Each infected computer would infect 50 additional computers, which in turn would infect another 50 computers. The virus proliferated rapidly and exponentially, resulting in substantial interruption and impairment of public communications and services. Many system administrators had to disconnect their computer system from the internet. Companies such as Microsoft, Intel, Lockheed Martin and Lucent Technologies were forced to shut down their e-mail gateways due to the vast amount of email the virus was generating. To date, the Melissa virus is the most costly outbreak, causing more than $400 million in damages to North American businesses.

Smith was one of the first persons ever to be prosecuted for writing a virus. He was sentenced to 20 months in federal prison and a fine of $5,000. He was also ordered to serve three years of supervised release after completion of his prison sentence.

The investigation was conducted by members of the New Jersey State Police High Technology Crime Unit, the Federal Bureau of Investigations (FBI), the Justice Department’s Computer Crime and Intellectual Property Section, and the Defense Criminal Investigative service.

Case 6: The Wake County Transportation Fraud

During a 2 and 1/2 year period, certain employees of the Wake County School Board in Raleigh, North Carolina, conspired with employees of Barnes Motor & Parts Co., based in Wilson, NC, to divert over $4.8 million through the use of fraudulent invoices in order to receive various kick-backs. Examples of items received included personal items such as automobiles, campers, golf carts and plasma-screen televisions. The scheme succeeded despite apparently strong internal controls, such as a bid limit of $2,500. At the time, the School Board employed only one internal auditor. Although the auditor had audit software which should have easily detected these unusual patterns, it was either not used or misapplied. There were numerous red flags that were not noticed. The story received wide press. [http://www.newsobserver.com/news/crime_safety/wakefraud/]

Once the School district fired the employees and an investigation was performed, $4.8 million was recovered from Barnes and the former employees. Some of the employees involved received jail sentences, and returned at least some of the property stolen. Harold Ray Estes was sentenced to 11 - 15 years and fined $500,000. [http://www.newsobserver.com/211/story/479287.html] . Vern Hatley, the Transportation Director, is serving a sentence of seven to ten years. Carol Dail Finch received a sentence between five years ten months and seven years nine months.

Once the fraud was discovered, an audit was performed and the report is available at [http://www.wcpss.net/audit/summerford.pdf Summerford audit report] .

ee also

*Information security
*Information technology audit
*IT audit resources

External links

* [http://blogs.ittoolbox.com/security/investigator/ Information Security & Computer Fraud Cases & Investigations]
* [http://www.ubs.com/ Union Bank of Switzerland]

References

* [http://www.crime-research.org/news/10.06.2004/419/ Woman Hacks North Bay Health Care Group]
* [http://www.infosecnews.org/hypermail/0102/3493.html Former System Admin. Sentenced For Hacking NY Court Web Site]
* [http://www.cybercrime.gov Cyber Crime] - More case studies plus source for the studies described above.
* [http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm The Computer Fraud and Abuse Act] - Text of the most recent revisions to the Act.
* [http://www.securitystats.com/crime.html Computer Security Statistics: Crimes and Penalties]