When a country institutes laws against computer abuses, a computer abuse becomes a computer crime. Not all abuses, however, constitute a crime. For example, consider a hacker who breaks into someone's computer system without permission. If the hacker steals confidential data from the system, this is considered a crime in some countries. A hacker who simply gets into the system to explore it—that is, to see how it works and what files it contains, may have breached privacy but has not necessarily committed a crime. Both acts, however, are unethical. Below we show actual examples of computer crimes. These cases happened in the US where computer crime laws are well established.At the end of this module, it is expected that you will be able to determine when a computer abuse counts as a computer crime.
Credit Card FraudA person in the US was sentenced to a term of 27 months in prison after being found guilty of defrauding Priceline.com and others with credit card information unlawfully obtained from a credit union employee. The person was also ordered to pay restitution in the amount of $116,869.30 and serve a three-year term of supervised release following his incarceration.
On March 1, 2002, the person pled guilty to three felony counts, including wire fraud, conspiracy to obtain unauthorized computer access to customer account information from a financial institution, and credit card fraud. He admitted to masterminding a scheme to defraud Priceline.com, Southwest Airlines, the Hotel Reservations Network, Inc., a credit union, and the credit union's credit card holders, by making fraudulent Internet credit card charges for hotel and airline reservations, totaling more than $116,000. He obtained the confidential customer account and credit card information from a credit union employee, who was subsequently terminated and convicted. He then used the credit card information to make hotel and airline reservations on the Internet and telephone. Most of the reservations were made with Priceline.com, Southwest Airlines, and the Hotel Reservations Network, Inc.After making a reservation with the credit card information, he would enlist another person to check into the hotel room using the reservation and credit card information he supplied, and to return the hotel room keys to him. He then obtained full use of the hotel rooms.[U.S. v, Luckey (E.D. Cal.) May 17, 2002]
Creating a Virus and Unleashing It To a NetworkA man accused of unleashing the "Melissa" computer virus in 1999, caus ing millions of dollars in damage and infecting untold numbers of computers and computer networks, was sentenced to 20 months in feden prison. He was also ordered to serve three years of supervised releas after completion of his prison sentence and was fined $5,000. He we further ordered, upon release, to keep away from computer network the Internet, and Internet bulletin boards, unless authorized by the Court. At the plea hearings, the virus creator admitted that he created the Melissa virus and disseminated it from his home computer. He said that he constructed the virus to evade anti-virus software and to infect cor puters using the Windows 95, Windows 98, and Windows NT operating systems and the Microsoft Word 97 and Word 2000 word processing programs.
The Melissa virus appeared on thousands of email systems on March 26, 1999, disguised as an important message from a colleague or friend. The virus was designed to send an infected email to the first 50 email addresses on the users' mailing lists. Such emails would be sent only if the computers used Microsoft Outlook as its email program.
Because each infected computer could infect 50 additional computers, which in turn could infect another 50 computers, the virus proliferated rapidly and exponentially, resulting in substantial interruption or impairment of public communications and services. According to reports from business and government following the spread of the virus, its rapid distribution disrupted computer networks by overloading email servers, resulting in the shutdown of networks and significant costs for repairing computer systems.The virus creator described in state and federal court how, using a stolen America Online account and his own account with a local Internet service provider, he posted an infected document on the Internet newsgroup "Alt.Sex." The posting contained a message enticing readers to download and open the document with the hope of finding passwords to adult-content websites. Opening and downloading the message caused the Melissa virus to infect victim computers. The virus altered Microsoft word processing programs such that any document created using the programs would then be infected with the Melissa virus. The virus also lowered macro security settings in the word processing programs. The virus then proliferated via the Microsoft Outlook program, causing computers to send electronic email to the first 50 addresses in the computer user's address book.[U.S. v. Smith (D. NJ) May 2, 2002]
HackingA Boston man was charged with using his home computer to illegally gain access to a number of computers, including those controlled by NASA and an agency of the U.S. Department of Defense, where, among other things, he intercepted login names and passwords and intentionally caused delays and damage in communications. In April 1999, the hacker obtained unauthorized access to a corporate Internet account, which he then used to illegally access a computer controlled and operated by the U.S. Defense Logistics Agency. He then concealed his actual computer address through a service known as "telnet proxy" which made it seem like his address was that of the government's computer. Once "hidden", he accessed, without authorization, the web site of Internet service provider ZMOS, and recklessly caused damage to the ZMOS computer located in the State of Washington. As a result, ZMOS, which hosts corporate web pages and provides Internet service to corporate customers, suffered a significant loss of business.
Beginning in May 1999 and continuing until August 1999, the hacker obtained unauthorized access to the same corporate Internet account, this time using it to access the NASA computer research project web server located in Maryland. He seized control of the NASA computer, allowing him to read, delete, or modify any files on the system. He then installed a "sniffer" program onto the system to intercept and save login names and passwords of users that were transferred over the NASA system for his own later use. The compromised NASA web server did not contain classified or sensitive information and was not involved in any way with satellite command or control.The hacker also used the NASA computer as a platform to launch attacks on other computer systems, such as an attack on the U.S. Department of the Interior's web server, where he defaced web pages with hacker graphics.The hacker also allegedly accessed various computers operated by Northeastern University, from which he illegally copied a file containing the names, dates of birth, addresses and social security numbers of numerous men and women affiliated with the University, either as students, faculty, administration, or alumni. Investigators however are not aware of any use or dissemination of this information. Northeastern University cooperated fully with investigators on this matter.If convicted, the hacker faces a maximum penalty of 10 years incarceration and a fine of $250,000.[U.S. v. Iffik (D. Mass.) February 23, 2000]
Stock FraudTwo former Cisco Systems, Inc. accountants were each sentenced to 34 months in prison for exceeding their authorized access to the computer systems of Cisco Systems in order to illegally issue almost $8 million in Cisco stock to themselves.In pleading guilty, both accountants admitted that between October 2000 and March 27, 2001, they participated together in a scheme to defraud Cisco Systems in order to obtain Cisco stock that they were not authorized to obtain. As part of the scheme, they exceeded their authorized access to computer systems at Cisco in order to access a computer system used by the company to manage stock option disbursals; used that access to identify control numbers to track authorized stock option disbursals; created forged forms purporting to authorize disbursals of stock; faxed the forged requests to the company responsible for controlling and issuing shares of Cisco Systems stock; and directed that stock be placed in their personal brokerage accounts. The two defendants admitted that the first time that they did this, in December 2000, they caused 97,750 shares of Cisco stock to be placed in two separate Merrill Lynch accounts, with 58,250 of the shares deposited in an account set up by one of them and 39,500 shares deposited in an account set up by the other accountant. In February 2001, they caused two additional transfers of stock, in amounts of 67,500 shares and 65,300 shares, to be transferred to brokerage accounts in their names. The total value of the Cisco stock that they took on these three occasions (at the time that they transferred the stock) was approximately $7,868,637,[U.S. v. Osowski (N.D. Cal) November 26, 2001]
SpammingIn a 1998 lawsuit brought by America Online against an unsolicited commercial e-mail sender, the judge awarded AOL compensatory and punitive damages and permanently barred the commercial e-mail sender from sending bulk unsolicited commercial e-mail to AOL members or through AOL services.[America Online Inc. v. Prime Data Systems Inc., 1998 U.S. Dist. LEXIS 20226 (E.U Va. Nov. 20, 1998).]In another lawsuit, Hotmail sued a company for allegedly providing false e-mail header information in unsolicited commercial e-mail which made it appear that the messages originated from Hotmail accounts. In that lawsuit, a federal court in California found that Hotmail established a likelihood of success of establishing false designation or origin, unfair competition, dilution, violations of the Computer Fraud and Abuse Act, breach of contract, fraud, misrepresentation, and trespass to chattel. The court then issued a preliminarily injunction enjoining the defendant company from falsely designating Hotmail addresses as the point of origin of their commercial e-mail messages,[Hotmail Corp. v. Van Money Pie Inc., No. C98-20064,1998 U.S. Dist. LEXIS 10729 (N.D. Cal, Apr. 16, 1998)].
Hate and Vengeance CaseA former employee in the Human Resources department at Marsh Inc., an insurance company located in Manhattan, was sentenced in a Manhattan federal court to 18 months in prison for illegally accessing and deleting hundreds of computer records at Marsh. On October 31, 2001, the hacker pled guilty to a one-count indictment charging him with accessing a protected computer without authorization and deleting approximately 950 files relating to employee compensation.A female employee at Marsh had complained that the hacker was harassing her because she rebuffed his romantic advances. He was later terminated from Marsh and obtained employment at Viacom, Inc. In January 2001, he used a password belonging to another employee at Marsh to obtain unauthorized access to Marsh's computer database and deleted approximately 800 files relating to the compensation of Managing Directors at Marsh and approximately 150 files relating to compensation of other Marsh employees. He also altered the female employee's compensation record to reflect a $40,000 increase in her salary and a $100,000 bonus. In February and March 2001, senior managers at Marsh received an email attached to which was a file containing information from the deleted salary files. The email appeared to have been originally sent from an e-mail account established at Hotmail.com. The user ID of that account contained the female employee's last name. The female employee denies having established that account. A forensic image of hacker's computer at Viacom revealed that the e-mails to the senior managers at Marsh were sent from that computer.[U.S. v. Leung (S.D. N.Y.) March 27, 2002]
