September 2, 2002

BusinessWeek Cover Story

The Underground Web

By Ira Sager, Ben Elgin, Peter Elstrom, Faith Keenan, and Pallavi Gogoi

Drugs. Gambling. Terrorism. Child Pornography. How the Internet makes any illegal activity more accessible than ever.

It's the kind of call everyone dreads. For Kristen Bonnett, the daughter of NASCAR race driver Neil Bonnett, it came on Feb. 11, 1994--the day her father crashed during a practice run at the Daytona International Speedway. A few hours later, he died. Bonnett was devastated, but she got on with her life. Then, seven years later, came a second call. This time, it was a reporter asking for comment on autopsy photos of her father that were posted on the Internet. Shocked, she quickly got online. "Forty-eight thumbnail pictures, basically of my Dad on the table, butt-naked, gutted like a deer, were staring me directly in the face," says Bonnett. Now, when she thinks of her father, she pictures him lying atop an autopsy table.

Warning: You are about to enter the dark side of the Internet. It's a place
where crime is rampant and every twisted urge can be satisfied. Thousands of virtual streets are lined with casinos, porn shops, and drug dealers. Scam artists and terrorists skulk behind seemingly lawful Web sites. And cops wander through once in a while, mostly looking lost. It's the Strip in Las Vegas, the Red Light district in Amsterdam, and New York's Times Square at its worst, all rolled into one--and all easily accessible from your living room couch.

Indeed, the very nature of the Web is what makes it such a playground for hoodlums. Its instant, affordable, far-flung reach has fostered frictionless commerce and frictionless crime. Fraudsters can tap into an international audience from anyplace in the world and--thanks to the Net's anonymity--hide their activities for months, years, forever. And they can do it for less than it costs in the physical world: $200 buys an e-mail list with the names of thousands of potential dupes. "The Web dramatically lowers transaction costs. Mostly, we think of that as a good thing," says Erik Brynjolfsson, professor of management at Massachusetts Institute of Technology's Center for eBusiness. "But it makes it difficult to control many of the activities we want to control."

That has spawned a bustling Underground Web that's growing at an alarming rate. Black-market activity conducted online will reach an estimated $36.5 billion this year--about the same as the $39.3 billion U.S. consumers will spend on the legitimate Internet this year, according to researcher comScore Media Metrix. Today, illegal online gambling is the eighth-largest business on the Internet. Complaints about child porn in cyberspace have grown sixfold since 1998. And of the total number of fraud complaints being received by the government, 70% occur on the Internet. "North of 70% of all e-commerce is based on some socially unacceptable if not outright illegal activity," says Jeffrey Hunker, dean of the H. John Heinz III School of Public Policy at Carnegie Mellon University, who helped craft cybersecurity policy in the Clinton Administration.

And that doesn't even factor in terrorism. Law-enforcement officials say terrorists are using the Internet for communication, research, recruitment, and fund-raising. The men involved in the September 11 attacks plotted and coordinated by trading e-mails from locations as innocuous as the public library. Even now, security experts say al Qaeda is trying to use the Web to plan more attacks. Computers analyzed by law-enforcement officials indicate that the terrorist group researched the U.S. telephone, electric, and water systems online, learning, for example, how digital switches operate those systems. "What keeps me awake at night is a physical attack in combination with some sort of cyberattack that would disrupt the abilities of our 911 systems," says Ronald L. Dick, head of the FBI's National Infrastructure Protection Center.

Not all threats are so overt. The Underground Web, if unchecked, has the potential to undermine the values of society. It enables--even encourages--ordinary citizens to break the law. People who wouldn't even jaywalk find themselves bombarded with offers to place bets at offshore casinos or order drugs online. For many, the offers are hard to resist. There's no need for surreptitious rendezvous in back alleys. It's antiseptic crime. "The Internet breaks down inhibitions to violate the law because the risks are much lower," says Kevin A. Delli-Colli, who heads the U.S. Customs Service CyberSmuggling Center in Fairfax, Va. "You can contact the seller anonymously, click on the product, and it's in your house."

To understand the depth of the problem, a team of five BusinessWeek reporters spent four months visiting the seedy side of the Internet. We sat beside gamblers as they placed bets on illegal gaming sites, interviewed people who bought drugs online, and talked with those who have lost loved ones because of cybercrimes. One of them was Barbara Perrin, a Long Island teacher who watched her 22-year-old son die after he bought on the Web a drug banned for bodybuilding. "My heart is broken into a million pieces," she says.

So far, the government's efforts to police the Underground Web have done little to stop its growth. Our reporters found more than 100 Web sites that appear to be engaged in a wide range of illegal or restricted activities. Italian switchblade seller AB Coltellerie, for instance, lists merchandise in U.S. dollars on its www.switchblades.it site. A BusinessWeek reporter contacted the site's online customer support to ask if they would ship switchblades to California. It's illegal to own one of these weapons with a blade in excess of two inches in California, which would make the majority of the site's inventory illegal in the state. Customer support's prompt response: "We take orders from California. Seizures are about 10% of total airmail shipments. To improve chances, you'd better choose express carrier as shipping method."

What's more, we found that even legitimate businesses enable Web outlaws. Mainstream sites such as Yahoo! (YHOO), MSN (MSFT), and Google help steer U.S. customers to gambling sites. They accept advertising from online casinos and display these ads to viewers in the U.S.--including an easy one-click link to place a bet. The practice is so widespread that the online-gaming industry has emerged as the fifth-biggest buyer of Web ads--$2.5 billion last year, according to comScore Media Metrix. "There are definitely some legality questions" surrounding this practice, says I. Nelson Rose, a professor at Whittier Law School. Microsoft Corp., which owns MSN, declined comment. A spokesperson for Google says it accepts ads from online casinos but says that policy could change. Yahoo says it will stop running gambling ads at the end of the third quarter. AOL Time Warner does not accept gambling ads on AOL but does on its Web properties such as Netscape and MapQuest.

Banks lend a hand, too, by processing the payments of customers in the U.S. who are gambling online illegally. Only under pressure from state attorneys general have some banks started to cut off credit lines to gamblers. "Online gambling poses real enforcement difficulties for us," says New York Attorney General Eliot Spitzer, who helped get a June 14 agreement with Citicorp (C) that requires the credit-card issuer to decline payments for online-gambling transactions. The message is getting through: On July 8, auction giant eBay Inc. (EBAY), which agreed to pay $1.5 billion to acquire online-payment processor PayPal (PYPL), said it will cancel PayPal's gaming business because of the "uncertain legal situation" surrounding it. In July, PayPal received two federal grand jury subpoenas concerning its processing of online gambling transactions.

Not all Underground Web activity is outright dishonest. Some is just plain vile. Anyone with a cause, no matter how weird, can have a Web site or chat room open to the world. Bonnett's autopsy photos were posted as a protest against race-car driving. And Deathndementia.com tries to appeal to rubberneckers by displaying gory accident photos and offering links to 2,000 sites, including Celebrity Morgue.

The Underground Web is bigger, broader, scarier, and more damaging than most people realize. Here's why:

GAMBLING. For Debi Baptiste, an addiction to online gambling proved to be more than she could handle. After she lost thousands of dollars playing video poker in bars near her Portland (Ore.) home, she and her husband, John, moved to San Jose, Calif., in 1999 for a fresh start. But when the family bought a home computer, Debi, 40 at the time, logged on to the Internet and began gambling at offshore Web sites--losing more than $50,000. John discovered what she was doing and changed the computer's password to lock her out. So she started staying late at her executive-secretary job to wager from the office.

Her gambling drove the Baptistes' relationship past its breaking point. On Oct. 5, 2000, John left divorce papers on the kitchen table before going to work. That morning, Debi swallowed 40 Vicodin tablets, went into the garage, and sat in the driver's seat of her car. Putting the divorce papers on the dashboard, alongside pictures of her two stepdaughters and her dog, she turned on the car. John found Debi in the exhaust-choked garage hours later. "I still loved her. I would have stuck with her," he says. "When I brought a computer into my house, little did I know I also brought a slot machine into my house."

Type "casino" into any Internet search engine, and hundreds of gambling sites surface. If you spend any time on the Web, you're almost certain to run across advertisements trying to lure you to visit a gambling site. With names like Prestige Casino, River Belle, and Aces High, these online casinos try to convey all the pizzazz of the Las Vegas Strip.

And people are betting Vegas-size bankrolls. The amount of money pouring into Internet casinos has skyrocketed from $2.2 billion in 2000 to $4.1 billion this year, according to researcher Christiansen Capital Advisors LLC. That's about 5% of the size of the legal U.S. gambling industry. Bear, Stearns & Co. (BSC) estimates that 1,500 gambling sites have sprouted across the globe, more than double the 650 casinos on the Internet two years ago. They're covering bets from approximately 4.5 million people worldwide, slightly over half of them from the U.S.

Strict laws in the U.S. prohibiting online gambling are proving about as powerful a deterrent as Prohibition was to drinking in the 1920s. Most forms of online gambling are banned by a patchwork of federal and state laws, save for state-by-state exceptions for things such as lotteries or horse-betting. Yet at least 80% of the online gambling done in the U.S. is illegal, estimates Bear Stearns analyst Jason N. Ader.

Law-enforcement authorities can't do much about it because online casinos typically set up their headquarters in countries such as Britain, Australia, or Costa Rica, where Internet gaming is legal. U.S. Justice Dept. officials say they can flex their authority if a casino owner travels to U.S. soil, operates through a U.S. bank, or sets up offices inside the country. So far, there have been few convictions.

BusinessWeek reporters tagged along with gamblers to get an inside look at online wagering. Take Kenny (not his real name), a 29-year-old financial analyst who bets weekly on sports at SportingbetUSA, a site owned by a British company and operated in Costa Rica. The site offers wagers on everything from professional baseball to NASCAR races. Kenny chooses baseball. After entering a password, Kenny looks over a betting sheet, enters a dollar amount, and clicks the box next to the team he wants to bet on. He had previously given the site his charge-card number. In less than two minutes, Kenny has $50 riding on the underdog New York Mets vs. the New York Yankees. The Mets win, and he pockets a tidy $59 profit. "It's all really very easy," he says.

Maybe too easy. Without the time-consuming effort of traveling to a casino, the pressure on problem gamblers such as Debi Baptiste is hard to resist. Indeed, the always-available gambling fix has led to more addicted gamblers while presenting a steep challenge to their recovery, say health-care workers. The California Council on Problem Gambling says 20 callers to its help line last year pinpointed Internet gambling as their downfall--up from virtually none in past years. "The Internet is making the problem a thousand times worse because of its accessibility and increased ability to hide the problem behavior," says Eric Geffner, a clinical psychologist in Southern California who works with gambling addicts.

DRUGS. The easy availability of drugs on the Web proved deadly for Eric Perrin. An avid bodybuilder, Perrin bought some dinitrophenol, or DNP, over the Net last summer because it was supposed to help him lose weight and get better muscle definition. While DNP is promoted on some fitness Web sites, it's illegal to sell for human consumption. The chemical is legal only for use in industrial applications such as a coating on railroad ties to kill fungus. In humans, DNP can shut down the liver, kidneys, and central nervous system. Last August, Perrin took DNP for several days. As his body temperature began to rise and his heart started to race, his mother, Barbara, grew concerned. "He told me, `Don't worry, Mom, I'll be all right,"' she says. "He was in a lot of pain." Eric died on Aug. 6 at a hospital near his home in Baldwin, N.Y. He was 22.

While the local U.S. Attorney is prosecuting the man who allegedly sold Eric Perrin the DNP, Barbara Perrin thinks the dealer isn't the real culprit. She places most of the blame on the Internet and Elite Fitness, a New York company that runs the Web site where her son read about the supposed benefits of DNP and got in touch with the dealer. She is convinced that without the Web, her son would be alive today. "DNP is not something you find easily," she says. Without the Internet, "Eric may have gotten steroids, but not DNP."

Even today, Elite Fitness provides what appears to be a forum for people to meet who are interested in drugs. With a quick search of the site, BusinessWeek found dozens of postings from bodybuilders promoting the benefits of DNP, explaining how to use the drug, and downplaying its health risks. After one visitor asked on an electronic bulletin board why people die from taking DNP, one of the site's moderators responded by writing: "Get your fluids, and you'll [b]e A-O.K." Another moderator posted ground rules for members to communicate in private so they could share information about "sources." And members write that the best way to check out a source for restricted drugs is to e-mail a moderator. Paul Willingham, a partner at New York's Caliber Design Inc., which owns Elite Fitness, says the site simply provides a vehicle for bodybuilders to talk about any subject. "We don't provide a forum to buy and sell drugs," he says. "We're building a community for discussing physical fitness."

Willingham, like the moderator on Elite, argues that DNP is safe. He says that DNP is only dangerous if it is combined with other drugs, such as Ecstasy or speed. Dr. Thomas Manning, the chief toxicologist at the Nassau County Medical Examiner's office, says that Perrin had no other chemicals in his body at the time of death.

Drug trafficking over the Internet is rampant. Bodybuilding drugs are plentiful. You can find recipes for making methamphetamines, Ecstasy, and the notorious date-rape drug GHB as well as links to buy the chemicals needed to make them. Pot? Simply go to Marijuana.com, and there's an advertisement for "Top-quality Marijuana seeds delivered discreetly worldwide." Says Kansas Attorney General Carla J. Stovall: "There are really no limitations to what you can get over the Internet."

Illegal drugs aren't even the big problem. The most explosive kind of drug dealing on the Internet is selling prescription drugs without a prescription. Rogue pharmacies have been set up throughout the U.S. and abroad and are blanketing the Internet with offers for all sorts of drugs. The most popular is the sexual aid Viagra--available from many sites without an in-person doctor's exam, even though Viagra requires a medical exam in most states. The National Association of Boards of Pharmacy estimates that the number of "instant" online pharmacies, which send out prescription drugs with no doctor exam, has ballooned, to about 400 from fewer than 30 in 1999.

And it's not all as innocent as trying to get Viagra without an embarrassing doctor's visit. Painkillers are among the most popular drugs sold by rogue pharmacies because some, in large doses, can give users a high similar to heroin. In March, a federal grand jury in Texas indicted three doctors and several other people for running Pillbox Pharmacy, an Internet store that sold the painkiller hydrocodone and other drugs to patients who were never examined. One of the doctors involved pleaded guilty, and the others are awaiting trial. "This is a very popular drug--and very addictive," says Jerry Ellis, the Drug Enforcement Administration manager who headed the investigation. Pillbox sold at least $7.7 million worth of drugs and attracted 5,000 customers in 2000 and 2001 before being shut down.

In some cases, it's innocent people who get hurt. Dr. Pietr Hitzig used the Net to solicit patients, claiming he could treat just about anything--cirrhosis, obesity, even Gulf War syndrome. The Baltimore doctor lured in more than 1,000 patients in the mid-1990s, charging each $1,500 and up for a combination of the diet drug phentermine and other controlled substances. The DEA found that Hitzig's treatments were causing psychosis and other problems in patients, and last November he was sentenced to 45 months in prison for illegal distribution of controlled substances. "He attracted people who weren't seeking drugs. They were looking for help," says Cathy Gallagher, a DEA supervisor in Baltimore.

CHILD PORN. In May, 2000, Russians Sergey Garbko and Vsevolod Solntsev-Elbe created a booming international business overnight: selling child pornography via the Internet. Their Blue Orchid site attracted customers who were willing to pay up to $300 for videos made in the 1980s. Then, to get something fresh to offer their clientele, the two Muscovites hired an acquaintance, Victor Razumov, to make new videos of himself having forced sex with a 15-year-old boy.

Not long after, Russian authorities investigating Blue Orchid discovered that the English-language site was running on a computer in the U.S. Moscow police called in U.S. Customs, and investigators set up a sting. On Mar. 2, 2001, Garbko and Solntsev-Elbe were busted. Police have made 16 arrests in the U.S. and Russia. Razumov is serving seven years for rape. Because Russia has no child-porn laws, Garbko and Solntsev-Elbe received only six-month sentences.

The Internet has brought new life to the child-porn trade. That's maddening for officials who thought they had nearly wiped it out with tougher laws. Anyone caught possessing, making, or distributing child porn in the U.S. can get up to 15 years in jail. But the anonymity of the Web and the difficulty of finding and shutting down sites around the world helps pornographers and their customers escape the law's clutches. Instead of having to scrounge for material in red-light districts, child-porn offenders can meet thousands of others like themselves online--buying or sharing porn without much fear of arrest. "We're seeing all new people becoming involved who have no prior police contact," says Peter D. Banks, director of training at the National Center for Missing & Exploited Children. "The ability to be anonymous has put them over the edge."

Law-enforcement officials estimate that there are thousands of child-porn sites. And the number is growing. The National Center's CyberTipline says it received 21,611 complaints about such sites in 2001, up from 16,724 the year before and 3,267 in 1998. Last year, the FBI made 514 arrests for online child porn, up from 68 in 1996.

As the number of sites rises, so do fears that more children are being sexually abused. Some online porn rings require members to post new photos to join, since many of the photos circulating on the Net are old.

Finding child porn online is shockingly easy. A Web search by BusinessWeek reporters for "little lolas" or "little boys" turned up five sites with hundreds of pictures of naked children. These sites claim they remain within the law because the photos they post do not show sex acts. But law-enforcement officials say that about 80% of the sites that show nude
pictures of children also feature kiddie porn or provide links to child-porn sites. A search of the domain registry for these sites showed owners in Russia, Britain, Grand Cayman, and Tonga. None of the sites returned e-mail questions or phone calls.

It may get even harder to stop child porn. On Apr. 16, the Supreme Court ruled that it's unlawful to ban virtual child porn--computer-generated photos--because no child is involved or harmed in making them. The case was brought by a trade association for adult-movie makers, which objected to the law on First Amendment grounds. The government says the ruling will make it tougher to prosecute cases because it will be difficult to tell virtual porn from the real thing. "We're going to be forced to prove that every picture is a real child," says U.S. Customs' Delli-Colli.

MONEY SCAMS. Cheryl Muzingo's travails started with a phone call from Discover Financial Services (MWD ) two years ago. Someone had used her name and Social Security number to apply for 16 credit cards online--and two had been approved. The swindler racked up $11,000 in bills for tickets to Disneyland, cash advances at casinos, and visits to a nail salon. The applications were online, so there was no paper trail. And the police wouldn't investigate, claiming the crime was outside their jurisdiction. The 37-year-old accountant from Henderson, Nev., did some sleuthing and found that Joanessa Warner, who worked at her company's travel agency, had stolen her data. Last October, Warner was sentenced to three years' probation and had to repay $9,550 to one credit-card company. Today, Muzingo fears her identity will be stolen again. "It has been horrible," she says.

Identity theft, stock manipulation, stolen credit cards--the Internet makes all these scams easier than ever before. Frauds that used to take days or weeks to cook up because they required office space, phones, and the postal service are done in minutes. In that time, they reach millions of potential marks. "The Internet has altered the playing field for scam artists," says John Reed Stark, chief of Internet enforcement at the Securities & Exchange Commission.

BusinessWeek estimates that financial fraud on the Net costs businesses and consumers $22 billion annually, based on law-enforcement and analyst projections. Online identity theft led to losses of $12 billion last year, according to the Identity Theft Resource Center, a San Diego nonprofit group that helps victims. Meanwhile, the SEC prosecuted cases last year in which investors lost $1.5 billion from Internet stock-manipulation schemes. Since the government estimates that only 1 in 10 Web cases is reported, actual losses could easily top $10 billion.

The scams aren't hard to find. A BusinessWeek reporter visited Yahoo's discussion boards and was directed to private discussion groups, known as Internet Relay Chats (IRC). From there, it was easy to glide into DALnet, a hangout for dealers in stolen credit-card numbers, obtained by hacking into systems of Internet merchants. A visit to any of the chat rooms--#thecc, #thacc, #cchome, or #shell_root--revealed hackers buying and selling credit-card numbers for 50 cents to $1 each. At the #thecc chat room, there's a plea from user xsythehell: "Need Discover cards, msg me for a deal." Within seconds, a note pops up from user kamusapa with a few Discover card numbers.

The con artists are careful not to get ripped off themselves, and no transaction takes place without first checking the validity of the numbers. On the message board is a program that checks the 16-digit number against the same database online merchants use to verify credit-card numbers. Several numbers quickly pop up as invalid. Then, a rash of numbers that are also being shopped go through as valid. After that, the transaction becomes private--the buyer and seller use instant messenger software to contact each other and set up payment and delivery of the credit-card numbers.

Falling prey to ripoff artists is surprisingly easy. In the course of researching this article, the credit-card number of one of the writers of this story was pinched and used to try to buy 30 Intel Pentium 4 chips at solutions4sure.com, a subsidiary of Office Depot Inc. Red flags went up because the order called for delivery to an address in Atlanta, though the cardholder lives in New York. When the Internet retailer called to verify the $6,700 order, it was squelched. It's not known how the information and phone number were obtained.

WHAT TO DO. Every 44 seconds, an unsavory act is committed on the Internet. The potential for sordid activities is as vast as the Web. There are no borders to patrol, and no single law-enforcement agency is authorized to clean up cyberspace.

What can be done? First, there needs to be a better understanding among law-enforcement officials, legislators, and citizens that the Underground Web is a serious problem. High-profile sectors such as terrorism and child porn are getting the funding for investigators and the necessary technology to weed out wrongdoing. But other areas, including gambling and drugs, get only modest attention from officials. When it comes to drugs, politicians think citizens care more about sales on the streets than on the Net. Yet online drug peddling can be worse. "A doctor prescribing drugs over the Internet can reach many, many more people than a street-level drug dealer," says Robert McCampbell, a U.S. Attorney in Oklahoma who has prosecuted Net drug sales.

One consistent problem is balkanization. Too many cops are stuck in a game of jurisdictional roulette. Internet financial fraud, for example, can be investigated by the FBI, Secret Service, Justice Dept., SEC, or the Federal Trade Commission. If it's international, then the Customs Service can weigh in. The resulting competition and confusion among agencies works to the advantage of criminals.

One solution is to make clear who is responsible for policing the Web. The Secret Service could take overall responsibility for financial fraud on the Internet since it has a lot of experience fighting cybercrime. The FBI would be the logical choice for online gambling and child porn. The DEA could target Internet drug dealing. The agency already has set up a special Net investigations unit, though it hasn't begun operating yet.

After establishing who will fight crime on the Web, there are a number of state models that cops could follow to attack the problems. California, for example, has made progress in stopping identity theft. Because a lot of thieves get credit-card data from paper receipts, the state requires all credit-card receipts to include only the last five card numbers. California also requires police to take reports from victims, something many local police forces are reluctant to do since they view ID theft as out of their jurisdiction. Expanding the California approach nationwide may prove effective.

When it comes to drug sales, Kentucky has one of the most advanced systems in the country. Pharmacies in most states don't share data. Kentucky, however, has built an integrated computer system that tracks drug sales from all pharmacies in the state. The technology allows doctors or pharmacists to see in an instant whether a patient has a drug problem--and it lets regulators see whether a doctor or pharmacist is prescribing unusual quantities of drugs. "If we could clone Kentucky, we would," says Kate Malliarakis, a branch chief at the Office of National Drug Control Policy.

Many states, led by Nevada, have tried to crack down on spam, but there are no federal laws against mass, unsolicited e-mail. Such legislation is important since spam is one of the chief ways fraudsters market their scams. To cut down on spam, heavy fines should be imposed. One bill before Congress--Controlling the Assault of Non-Solicited Pornography & Marketing (CANSPAM)--comes the closest. The bill would let the FTC penalize senders of unsolicited e-mail and require valid "remove me" options on all messages.

Nothing will work, however, without putting teeth into the laws that are already on the books. The best deterrent may be a clear message that both the supplier and the buyer of illegal goods will face stiff penalties if they're caught. That hasn't been so in the past, but it could be changing. On May 17, one of the leaders of an international Internet ring that pirated software, movies, and games was sentenced to 46 months in prison, one of the longest sentences for theft of intellectual property. Customs agents who monitor chat rooms where pirates hang out say there was shock over such stiff sentences. "People were saying, `I'm getting out of the game,"' says Customs Agent Allan Doody.

Congress appears ready to get tough. On July 15, the U.S. House of Representatives approved The Cyber Security Enhancement Act, which promises life sentences for cyber attacks that recklessly endanger human life. Today, the maximum prison term is 10 years.

There will always be a seedy side to the Internet, just as there is one to every city. Cleaning up the Net will take vigilance and a slew of legal and public actions. For now, though, the Web has too many dark and dangerous corners and too little law and order.