Scam Costs Net Users Thousands
In Transatlantic Telephone Bills
By ROBERT E. CALEM
A new variety of Internet scam, in which a downloaded application
surreptitiously reconnects a user's computer to a telephone number in Eastern
Europe, has cost thousands of people in the United States and Canada tens of
thousands of dollars in long-distance phone charges since December.
The scam worked this way: Visitors to several Web sites, including at least
two sex sites, were offered free pictures on the condition that they download
special image-viewer software. But when configured on a Windows machine, the
software would turn down the volume of the PC's speakers and modem, disconnect
the call to the user's regular Internet service provider, then dial a phone
number in the Republic of Moldova on the northern coast of the Black Sea. A
switch connected to the phone number in Moldova would then route the call to
an Internet server in Scarborough, Ontario, to access the images.
Though the Royal Canadian Mounted Police said Monday that they were hot on
the trail of those responsible, computer security experts say that the con is
not difficult to pull off and that they expected the crime to be copied.
However, they added that it would be relatively easy for alert Internet users
to guard against the scam.
Cpl. Marc Gosselin of the Mounted Police Computer Crime Unit in Montreal said
that the server in Ontario would also give access to the whole Internet,
giving users no clue to what was happening. Thus, the phone connection to
Moldova would continue long after a visitor had exited the illicit site and
even after he or she had closed the Web browser. As a result, some victims
received phone bills as high as $6,000 for their connect time. The lowest
phone bill was $8, Gosselin said.
Jacques Desjardins, associate director of corporate security at Bell Canada,
said the scam was first detected in Quebec late in December, when calls of
long duration to Moldova began appearing on many phone bills.
Gosselin said that Bell Canada was reporting that more than 1,200 people had
been victimized in the province of Quebec alone, for damages totaling about
$75,000, and he said that the Montreal Royal Canadian Mounted Police, who
received their first reports of the scam on Jan. 19, were still waiting Monday
for reports from the rest of Canada.
But Daniel Hansen, a spokesman for Bell Canada in Montreal, said Friday that
only a couple hundred customers had been affected.
Thousands more Internet users were victims of the scam in the United States,
according to AT&T. John Heath, a spokesman for AT&T in Basking Ridge, N.J.,
said that AT&T had also noticed a high volume of calls to Moldova on its
customers' phone bills as early as last December, had suspected fraud and had
called each of the customers.
"But the more we talked to customers, the more feedback we got that it was
their modem line," Heath said. AT&T's more "computer savvy" customers figured
out what had happened on their own and reported it to the long-distance
carrier, he said.
Heath said AT&T's security people had told him that the Royal Canadian
Mounted Police were investigating a Canadian company that reportedly had
funneled the calls to Moldova.
Gosselin said the Mounted Police had determined that the server in Canada and
the phone number in Moldova were registered to the same company, which he
declined to identify.
Heath said that AT&T customers caught in the scam generally got stung for
several hundred dollars. "I can't get any more specific than that, but some of
the bills were substantial," he said.
Neither AT&T nor Bell Canada will forgive the victims' charges, because the
call was to an overseas phone number.
Rich Petillo, manager of network security at AT&T in Bridgewater, N.J., said
that since "we have charges due a foreign phone company" in Moldova, AT&T had
no choice but to pass the charges on to the customers.
Desjardins added, "This is not subject to billing and collection agreements
with normal sex-type providers."
For example, charges incurred by a child's calling a fee-based 1-900 phone
number are usually absorbed by the phone company on the first occurrence. The
parent or guardian is then offered a chance to permanently block the phone's
access to such numbers in the future.
Desjardins said that Bell Canada charges from $1.50 to $2.50 per minute for
calls to Moldova, depending on the time of day.
By comparison, AT&T charges from $2.12 to $2.93 per minute, but Heath said
that the company would retroactively apply its best international discount
rate to the fraudulent calls in this case.
Because of the cross-border effects of the crime, Gosselin said he expected
that Canadian and United States officials would jointly prosecute the scam
artists if and when they were caught. He estimated that the Canadian police
would be working on the case for at least another month and invited anyone on
either side of the border who was victimized by the scam to _send him e-mail_.
Gosselin said those responsible would face Canadian charges for public
deception, unauthorized access to a computer (the victim's) and theft of
telecommunications, the Canadian term for using time on a phone line without
According to the Mounted Police and other sources, at least three Web sites
and multiple phone numbers in Moldova were involved in the scam. The numbers
have since been blocked in both the United States and Canada, and the Web
sites have reportedly been shut down as well.
Gosselin identified sexygirls.com as the site he used to test the scheme
while Bell Canada monitored his modem calls, and he said another site,
erotica2000.com, was also involved in the scam. Gosselin said other
authorities had told him that a third site devoted to the cartoon characters
Beavis and Butt-head had also been involved.
The downloaded file that caused all this trouble went under the names
david.exe and david7.exe.
After hearing about the scheme, researchers from Solid Oak Software, Inc. of
Santa Barbara, Calif., an Internet software publisher, found the david.exe
file at two more sites -- thorn.net/~bigman/newdoc.html and
Telecommunications and computer security experts said that the scam was
technically easy to pull off, and they predicted that it would resurface again
and again as the details spread through the hacker community.
"The truth is, you can download any code and if it runs locally it has access
to your system resources," said William Pence, director of digital media
solutions at IBM's T.J. Watson Research Center in Hawthorne, N.Y. Turning off
the sound of the modem is "trivial," Pence said. It can be done either through
a so-called AT command, which controls the modem's operation, or by
conducting "system calls" within Windows 95 to lower the volume on the PC's
Brian Milburn, president of Solid Oak, said, "Anything that can be
downloaded, whether it's downloaded as an application or as part of a Web
site, has the potential for doing this."
The danger isn't limited to executable files; it could be realized in
Microsoft Corporation's ActiveX controls for the Windows operating system or
in applets written in Sun Microsystem's Java programming language, Milburn
Moreover, Milburn said, it's possible for a trojan horse, as such programs
are known, to alter the computer's default settings to connect to the
long-distance phone number on an ongoing basis "until it's discovered." It can
do this by altering the Registry file in which the computer's configuration
settings are kept by Windows 95 and Windows NT. Among the information stored
in the Registry are the name and phone number of the default Internet service
Experts also advised paying close attention to the modem's activity. They
recommended keeping an eye on an external modem's indicator lights, or, in
Windows 95, keeping the task bar visible to watch for a disconnection.
Finally, they advised that users not disable the warning messages built into
"That's your last line of defense," Milburn warned. "It may be inconvenient,
but [ignoring] it may end up costing you thousands of dollars. This is going
to happen more. This is just the beginning."
Petillo, of AT&T, agreed. "There's no way to absolutely protect customers,"
he said. "Their modems are there to make calls. I do think it's likely to