MOLDOVA is a former Soviet republic, a croissant-shaped nation the size of Maryland, surrounded by Ukraine and Romania. It is not, as a friend of mine guessed, the fictitious country in the Marx Brothers movie Duck Soup. Yet it figured recently in a scheme as tangled and improbable as anything Prime Minister Rufus T. Firefly of Freedonia might have cooked up a case involving pornography, the Internet, telecommunications fraud, and a Trojan horse. An examination of the case brings to light some of the perils of our nascent electronic world -- a world in which everything from "sites" to telephone calls to countries themselves is sometimes only virtual.
Last December and January, Internet users might have found themselves, after caroming around cyberspace as their predilections dictated, on Web sites called sexygirls.com, 1adult.com, and beavisbutthead.com. Each of these sites promised free "adult" pictures. First, though, would-be voyeurs needed to download a viewer application -- a program that would allow them to display the photos on their personal computers. There was nothing especially suspicious about this: Internet devotees routinely download software, from new versions of Netscape 's Web browser to video games such as Doom and Quake to Budweiser's Bud Ice screen saver.
This particular program, however, was different. It was what is known infamously in computer circles as a "Trojan horse" -- a program that fulfills its stated function while secretly carrying out another. The most common type of Trojan horse, according to Dan Geer, the vice-president of CertCo, an electronic-commerce security firm in New York, is one that records your name and password as you log on to an electronic account and then passes them along to someone else -- who might be able to read your E-mail, draw on your checking account, or gain access to some other private domain. Trojan horses are probably not very common: most people would know if they were being stolen from, and most people's private information is not worth the trouble to steal or the risks involved. Still, no one really knows how prevalent the programs are. As Geer laments, "The computer-security arena is plagued with underreporting."
In the case involving Moldova, while the downloaded program was providing access to the pornographic photos, a hidden regiment of subcommands was ransacking the user's computer. First the program ordered the volume on the computer's speakers turned off, to prevent the usual telephonic sounds a modem makes. Then it hung up the line to which the modem was connected and dialed a number in Moldova. That call was answered by a computer that reconnected the user to the adult site. The promised photos -- or at least one of them -- finally appeared on the screen. The viewer had no idea that while he was looking at pictures he was paying for a transatlantic phone call.
The assault didn't end there. Even after the viewer left the site, disappointed with what was often only a single photo, the phone call continued. The Moldovan horse, as it might be called, didn't allow the modem to hang up even when the customer signed off the Internet -- at which point a modem normally would. Only when the computer or the modem itself was shut off did the phone call terminate.
WHO stood to make money in this scheme? To answer that question we need to look at what happens when a person calls a foreign country. International phone calls involve separate charges levied by each carrier concerned. American customers pay a single fee per call to their long-distance provider -- for example, AT&T -- and that provider pays the foreign company its share. Phone companies in developing nations are often in dire need of customers. Few of the nations' citizens have phones, and not many calls come in from abroad. So the companies sometimes contract with entrepreneurs in the United States and elsewhere who set up phone-sex lines or other services that require calls to the country. U.S. long-distance rates are governed by the Federal Communications Commission, but for many foreign companies the sky's the limit: they can charge enough to cover sizable fees to their partners -- the providers of the phone sex or other "audiotext" product -- and still make a profit themselves. Pornography needn't be part of the arrangement, but there aren't many better ways to keep people on an expensive phone call.
The involvement of foreign phone companies in teleporn is nothing new, nor is it illegal in itself. "There's a huge business in international pay-per-call sex lines," says Eileen Harrington, a Federal Trade Commission specialist in telecommunications fraud. One reason is that if a phone-sex service uses a 900 number, as most U.S.-based services do, inadvertent customers can go through a grievance process and are likely to have their charges waived, whereas if a foreign phone company is owed money, the victims are usually held accountable by their own long-distance carriers for the charges. In addition, many people apparently find calls to Haiti, Antigua, or Montserrat easier than 900 numbers to explain to their spouses.
Again, none of this is illegal, so long as advertising clearly discloses the cost of the phone call. There are also at the moment no laws restricting pornography on the Internet, and adult Web sites and newsgroups abound there. What is illegal is deception in commerce, as in a case last fall when people found messages on their pagers or answering machines asking them to call back to learn about job openings or free vacations. The ten-digit numbers looked just like mainland U.S. numbers but in fact were for Guyana, on the northern coast of South America, and some Caribbean islands, where the phone companies charge exorbitant rates. The person who answered would keep the victim on the phone as long as possible, generating a hefty kickback from the phone company.
International phone scams, then, are old hat; and so are Trojan-horse programs. What's novel about the Moldova case is the harnessing of a Trojan horse to hijack customers' modems and initiate phone fraud. "It combines the worst of two types of fraud," says Paul Luehr, the FTC's lead trial attorney on the case.
Of course, the scam couldn't go on for long. Members of AT&T's Fraud Control Group and their counterparts at other U.S. long-distance companies, who regularly pore over phone-traffic data looking for unusual spikes in activity, soon found a big one: some 800,000 minutes of phone time to Moldova had accumulated in only six weeks -- several orders of magnitude more than usual. And when people found mysterious charges for calls to Moldova on their bills, ranging from $50 to $3,000, naturally they complained. The FTC began an intensive investigation in January, breaking down the components of the Trojan-horse program and tracing the registrations of the Web sites involved. Within a month it had shut down the sites and brought suit against the alleged perpetrators, three people on Long Island, in New York. Criminal charges have yet to be filed, but they may well be soon.
The FTC suit specifically seeks to preclude the use of such Trojan horses by invoking Section Five of the FTC Act, which prohibits deceptive acts and practices in commerce. "This is a case that we brought in record time," Luehr told me recently. "We really knocked ourselves out putting this thing together, because we realized that it wasn't just pornography customers who could be targeted; this same sort of downloading activity could take place with Mickey Mouse pictures. We wanted to protect the Internet as a viable source of commercial activity." If a shopping mall acquires a reputation as a pickpockets' hangout, it soon becomes a ghost mall.
THERE is no simple way for people to protect themselves against Trojan-horse attacks. Although some experts I have talked with asserted that an Internet-savvy surfer would not be victimized by such a scheme, others disagreed. "I can easily imagine being fooled by it," says Alan Albert, a software designer and the inventor of FileMaker Pro, a popular database-management program. "I download files all the time. Some work well, and some have bugs, but in general I assume that they're going to do what they say they'll do."
If people are aware of an ongoing scam that commandeers modems, they can watch for it; they might even set up their computers to tell them if the modem disconnects. The next scam, however, might not involve the modem. It might be something like what the Chaos Computer Club, a group of defiant hackers in Hamburg, Germany, did earlier this year simply to demonstrate the susceptibility to sabotage of supposed juggernauts like Microsoft. The hackers wrote a Microsoft ActiveX control -- a kind of Web program that when someone visits a Web site that uses it, can automatically download itself onto that person's computer, activate, and go to work. In this case the control made a hidden transaction in Quicken, a popular personal-finance program. The next time the person paid his bills online, he would also unknowingly make a payment to the hacker-thieves' account. Microsoft insists that its Web browser, Internet Explorer, will not run unauthorized ActiveX controls without warning the user. And yet the company had to admit that "malicious developers can create malicious executable code," though it claimed that "this problem exists for all downloaded executable code." In other words: Come on in, the water's fine -- but watch out for those fins.
If the FTC or another policing body can uncover a hoax, it can be stopped. Discovery is not always easy, however, when the Internet is involved. In the Moldova case there were smoking phone calls. But in many Internet scams -- for example, those in which passwords are stolen -- the victims might not ever know they've been victimized. Many Trojan horses even erase themselves after the act -- the perfect getaway. And the very nature of the Internet lends itself to camouflage. "There's no 'place' on the Internet," Geer says. "Nowhere to go looking for the culprit."
In the Moldova case the locus of the crime was particularly elusive, because although Moldovan phone numbers had been dialed, no telephones rang there. According to an international agreement, all calls from North America to Moldova go through Canada. These particular calls never got any farther; they were answered in Scarborough, Ontario, where the computer that reconnected the unwitting customers to the adult site was located. This made no difference to the Moldovan phone company or to the Long Island entrepreneurs to whom it gave kickbacks: people are charged for the number they dial, not for where the call is answered. Moldova in this instance was a virtual nation, no more substantial than any site in cyberspace. Only by tracing the registrations of the offending Web-site programs were the FTC and the Royal Canadian Mounted Police able to track down the actual scene of the crime.
How three people in Long Island were able to divert phone calls in Ontario remains a mystery. For obvious reasons the authorities are circumspect; phone messages I left for the directors of network security at AT&T and Bell Canada were returned by media-relations spokespeople who professed ignorance. Apparently, though, there is no limit to what a few lines of clever code can accomplish. The personal computer is mightier than the phone company.
Options for consumer defense against Trojan-horse programs are limited. "The only good method," Geer says, "is to make sure you know what software you're running. For the ordinary person this is quite a difficult matter." The great majority of Internet patrons are no more knowledgeable about the architecture of the software they are using than they are about how their microwave ovens work. Therefore, as Web sites increasingly require the downloading of special programs, dependable security is becoming more critical. It's not something that computer companies like to talk about, just as airlines don't tend to advertise that their planes crash less often than the competition's; however, as in airline safety, according to Geer, "there's an implicit competition that's raising the standard."
THERE are two main types of security for downloaded programs. The first requires that companies mark their software with a digital "signature." For instance, as a simplified example, the publisher of this magazine could translate all of its text into digital values, total those up, divide the sum by a particular number, and "stamp" the result on the electronic version of the magazine. If you connected to the magazine's Web site, your browser would check to make sure the signature had the correct value. If a terrorist group tried to add its manifesto as though it had been accepted and published by the editors, then your browser would produce the wrong result when it performed the signature computation, showing that the text had been tampered with.
In the second, or "sandbox," approach, a company instructs its program to remain quarantined in a virtual sandbox maintained by your Web browser in the computer's "back yard." This limits the program to certain specified functions, such as writing on the screen and communicating back to the Web site. It does not permit access to other parts of the yard, where vital programs are located. The Moldovan horse, confined in this way, would have been unable to hang up the modem and redial.
Each approach has strengths and weaknesses; neither is perfect. There will always remain the possibility of a Trojan horse so brilliantly programmed that it can mathematically forge digital signatures, so devious that it can trick your computer into letting it out of the sandbox. In the end, Geer says, "all technology security is about propagating trust." Microsoft favors the signature method, and in doing so what it's really saying is "When you download software with the Microsoft Authenticode signature, you can trust it." This is no different from trusting a car to be safe or dependable. When a person downloads a program written in Java that favors the sandbox strategy, he or she is also expressing trust -- trust that the program won't be able to leave the sandbox.
Downloading a program from an unknown Web site is a little like buying a sleeping pill that hasn't been approved by the Food and Drug Administration -- or, in some cases, like buying snake oil by the side of a dusty country road. The drug industry, though, relies on a governing body to give it credibility. Internet commerce is just the opposite: its success depends on the existence of millions of independent, largely unregulated vendors.
As we move toward a more fully digital world, the cost of manipulating information approaches zero, and the hazards therein multiply. Even our privacy is in peril. The "clickstream" pouring in to Web merchants -- the information that you provide with clicks of your mouse, from your Social Security number to what music you listen to and where you like to eat -- lets those merchants personalize their marketing, but it may be more information than you want to share widely. And some Web entrepreneurs collect this information and sell it. Supermarket scan cards may be more convenient than coupons, but, as Geer warns, they, too, "put a market price on privacy." The activities in these examples are perfectly legal, of course, but they increase the potential for electronic malfeasance.
Any new technology can be a constructive or a destructive tool. Trojan horses are simply one of the hazards of the Internet, just as telephone fraud is a hazard of Mr. Bell's invention. To some extent the snake oil will always get through.
Marshall Jon Fisher is a freelance writer and the co-author with David E. Fisher of Tube: The Invention of Television (1996).
Illustration by Giacomo Marchesi
The Atlantic Monthly; September 1997; moldovascam.com; Volume 280, No. 3; pages 19-22.