Saturday, January 4, 2014

Cybercrime in the 1990s

Note: This is a section of the full research paper

By the end of the 1990s, the perfect conditions for cybercrime had formed: everyone was online, lots of people conducting online banking and credit card transactions, lack of legal framework and resources to prosecute cyber crime, and poor security. Two huge events in the 1990s made this happen. The first was the invention of the World Wide Web. In 1990, Tim Berners-Lee completed his build out of all the components necessary for his ‘WorldWideWeb’ project - a web server, a web browser, a web editor, and the first web pages. In 1991, he made his project publicly available on the Internet as the ‘Web’.  In a single decade, the Web grew from non-existent to over 17 million web sites. [1]

The other history-altering event was the build out of public internet access points. In 1994, the National Science Foundation sponsored four companies to build public Internet access points – Pacific Bell, WorldCom, Sprint, and Ameritech. Within a couple of years, Joe Public declared the Internet was good and got on-line.  At the beginning of the decade there were two million people on the Internet in the U.S. By the end of the decade there were 135 million.

Companies followed the public and moved their commerce channels online. The U.S. Department of Commerce reported for 1999 $5.25 billion in online travel bookings, $3.75 billion in online brokerage fees, and $15 billion in retail sales. Banks got on-line too, with 10 million people conducting banking online in 2000.

Adoption of the internet was not just a U.S. phenomenon. Though lagging developed economies by about five years, the emerging economies got online too. By 2000, 36 million people in the BRIC countries – Brazil, Russia, India, and China – were online. While the U.S. and its Allies established reasonably functional agreements for prosecuting cyber crime, no such agreements were realized with the rest of the world. The result was, and remains today, an internet with no functional legal system for fighting crime.

Motives and Crimes
With the millions of new systems coming online, the 1990s was a target rich decade for hackers.  Fortunately for businesses and people putting their private information online, hackers primarily made a sport of defacing websites, rather than targeting the sensitive information stored in the systems. It would take until the following decade for the criminal profiteers to figure out how to monetize computer crime.

The most common computer crime of the 1990s was defacing websites. Hacking for ‘sport’ is good category for these compromises. There really was no knowledge to gain, no curiosity to satisfy – just the sport of compromising web sites. documented many of the web site hacks through its web page hack mirror at According to Attrition’s data, four web sites were hacked in 1995.  Attrition reported 1905 websites being hacked in 1999.

Number of Website Defacements Reported by[2]

Some very high profile sites fell during the decade. In 1996, the top sites compromised included the U.S. Air Force, NASA, and the site of the British Labour Party. Sites compromised in 1997 included Stanford University, Farmers & Merchants Bank, Fox News, and Yahoo.  Other high profile sites to be compromised included the U.S. Senate’s,,, and

The content placed on these sites ranged from ‘Free Kevin!’, to pornography; from taunting messages like ‘Look you sorry ass system admin…’, to security advice such as ‘Stop using old versions of FTP’. A screenshot of part of the compromised site is shown below.[3]

There were a few notable money-driven computer crimes in the 1990s. In 1994, a group led by Vladimir Levin, broke in to the bank accounts of several corporations held at Citibank. Accessing the funds through Citi’s dial-up wire transfer service, he transferred $10.7 million to accounts controlled by accomplices in Finland, the United States, Germany, the Netherlands, and Israel.

In 1999, a Russian by the handle of ‘Maxus’ compromised the CD Universe web site and stole over 300,000 credit card records.  Attempting to profit from the crime, Maxus faxed an extortion note to CD Universe demanding $100,000 in return for silence of the theft and destruction of the stolen data. His extortion rejected, he published 25,000 of the records on a website. In reporting on the incident, ZDNET called it the ‘biggest hacking fraud ever’.[4]

Though the Melissa Virus wasn’t the first, it certainly opened the eyes of corporations and system administrators to the fragility and vulnerability of computer systems and the Internet. In 1999, David Smith, a network programmer, released the Melissa Virus to the Internet. The virus was contained in a Microsoft Word document macro. When an infected document was opened, it would email itself to the first 50 addresses in the MAPI email address file on the computer. In asking why he did it, David Smith stated that he just wanted to see if it would work.

It did work – splendidly, crashing an estimated 100,000 email servers. People readily opened the malicious document received from someone they knew containing a moderately convincing subject line and message. Besides, this type of attack was new. People weren’t used to being on their guard when opening up email attachments, especially from people they knew. 

A few political hacks occurred during the decade. In 1998, three members of the hacker group Milw0rm, as a protest of the Indian government’s nuclear weapons test program, broke in to several servers of the India Atomic Research Centre and modified the organizations homepage and stole thousands of emails and related research documents.[5] That same year hackers compromised and disabled filtering on a half-dozen firewalls used by China to filter its people’s Internet traffic.[6]