An Everyday Crime


On December 25, 2011, Garicchi, a tech blogger and self-described Windows enthusiast, saw his inbox flooded with alerts. In his sent mail folder were recorded scores of virus-laden messages sent off without his knowledge to every person on his contact list. His account—and all the personal information on it—was completely compromised. When he began his blog post with the words “This was the absolutely worst Christmas ever,” he echoed the sentiments of many around Japan who found themselves victims of a series of cyber-attacks on Google Mail accounts that morning.

Until July 2011, Japan had no legislation on its books to prevent or prosecute cyber-attacks in the country. Now, the government can seize data of any kind from a computer suspected of affiliation with a cyber-attack, a potential opportunity for gross abuse of police authority. Yet the recent cyber-attacks raise questions regarding the success of both Japanese and international regulations. Da­vid Thaw, a fellow at the Information Society Project at the Yale Law School and an expert on cybercrime, noted that “the problem is one of metrics—how do we determine a means of measuring effectiveness?”

The methods behind everyday cybercrime help ensure the near impossibility of trac­ing, let alone cracking down on, offenders. A variety of popular techniques exist for hack­ing into email accounts, ranging from simply guessing the password to somewhat more so­phisticated “dictionary attacks” which choose from a preselected list of likely words in order to find the password. Garicchi, however, sus­pected the crime arose from the free hotel Wi-Fi he connected to the day before. Accord­ing to him, “intruders could much more easily gather relevant account information through an unsecured network.“ Iwakawa Yoshifumi, another tech-savvy blogger caught up in the recent cyber-attacks, hypothesized that the hackers gained access “via other website ac­counts with the users’ personal information on it,” exploiting the fact that people generally reuse passwords from account to account.


After accessing a few accounts, the hack­ers spammed the address lists of their victims with links which, when clicked on, would automatically hijack the recipient’s account. While it seems like common sense to avoid suspicious links in emails, the hijacking cases spread faster and faster throughout the end of December. Professor Thaw’s succinct explana­tion: “Yes, people are just that stupid.”

With bloggers swapping radically differ­ent theories about the original cause of the attacks, and with hijacking more or less oc­curring through self-propagation past the first few intrusions, it is no wonder that law enforcement finds it difficult to investigate even the most minor cybercrimes. Further complicating the story, virtually every victim traced the illegal access to a different source, although most came from cities within Amer­ica. Attacks arrived by way of computers in Mountain View, California; East Rutherford, New Jersey; Bellevue, Washington, and many other cities. Since hackers can disguise their original location through such proxies with ease, the level of transnational coordination involved often makes enforcement by any one country alone too burdensome to pursue.

Yet the question remains—why did these hackers bother at all? After all, the money­making potential of the attacks pales in com­parison to more newsworthy raids on corpo­rations like eBay. Still, as the blogger Iwakawa pointed out, the connections between email accounts and a wide variety of other services “magnifies the scope of damage [and profit] of an account hijacking considerably.” Through the email account itself and any connected accounts, hackers can gain potentially valu­able personal and financial data, such as credit card numbers or bank account information. Because the attacks can self-propagate, they bear little risk or cost and largely go under the radar of mainstream enforcement. As Profes­sor Thaw stated, “The probability margins [of profit] are incredibly small, but the marginal cost of execution is even smaller,” making such hijackings low-risk and, in the long run, poten­tially lucrative.

Rather than worry about punishing the cyber-attackers, the Japanese blogosphere is focusing primarily on the prevention of future attacks. As national boundaries are blurred by the interconnectivity of online interaction, new responses to the issue of cyber-attacks will have to focus on how to coordinate in­ternational efforts to hold cybercriminals accountable for their actions. Given the am­biguity surrounding even the most basic of cyber-attacks, effective countermeasures will take time to develop.

John D’Amico ‘15 is in Pierson College. Con­act him at