The sleepy suburban neighborhood in Bogota, N.J., looked safe when Michael pulled up to meet the man who had offered to buy his MacBook after seeing an ad on Craigslist. And everything seemed perfectly normal when the buyer walked up to his car and began counting out cash.

But then a second man appeared seemingly out of nowhere and shoved a shotgun in Michael's face.

"It was pretty terrifying," said Michael, who let the pair take the computer from his trunk, then watched them run off into the night. "I thought they were going to take the car."

The robbery is just one example of a disturbing new kind of theft that blends cybercrime with the physical dangers of real crime.  Across the country, Craigslist users who agree to meetings in seemingly safe places are being robbed at gunpoint, pistol-whipped and, in at least one case, murdered.  In Chicago, police call it "robbery by appointment."

 Just last week, the city of Oakland, Calif., issued a wide-ranging warning about Craigslist-related car sales. A gang there has progressed from one theft per week to one per day, stealing thousands of dollars from victims using ads on Craigslist to lure them into meetings. The police now have an entire investigative team dedicated to tracking them down.

"They are getting more blatant and violent," said Oakland police spokeswoman Holly Joshi. "The last (victim) got pretty beat up.  Right now it's a top priority for us."

Craigslist robbers appear to be much more sophisticated than the criminals that Web users routinely encounter. Their ads are indistinguishable from normal for sale items, Joshi said. They return phone calls using local phone numbers; they offer to meet in public places, foiling much of the "safe surfing" advice that's been given for years.

Among the more disturbing elements of the crimes: Many are taking place in broad daylight or early evening hours, and in what seem to be safe neighborhoods.

"Meeting in a public place really is not good enough," Joshi warned. She said most crimes there are occurring between 2 and 6 p.m. "Residential areas can be relatively isolated during the day."

That's what happened to Michael, who asked that his last name be withheld.  He met his suspects in a nice neighborhood in Bogata, about 10 miles west of New York City, only a few blocks from the police station -- but the block itself was quiet and empty during the incident.

Nothing seemed unusual about the transaction until the gun appeared, Michael said. But in retrospect, he thinks he should have been surprised that the buyers didn't make any attempts to negotiate the price with him.

"They were just very concerned with setting up a meeting," he said.  "That was the only thing that was strange."

Michael got off easy, losing only his used computer.  A scan of incidents around the country show much more dire consequences for some other Craigslist users.

In Raleigh, N.C., a man's car was sprayed with bullets by Craigslist robbers earlier last year, while a woman in Newport Beach, Calif., was pistol whipped during an alleged bicycle sale. There have been a string of dirt-bike related Craigslist robberies in Ohio, and just before Christmas, an Ohio man was shot in the jaw during one incident. In Stafford, Va., criminals allegedly selling deep-discounted iPhones brazenly invited consumers to meet them on the steps of the county courthouse. And in Sarasota, Fla., police issued a warning on New Year's Eve after a similar string of iPhone-related armed robberies.

The most dramatic Craigslist appointment robbery occurred last year in rural Pierce County in Washington state, when four suspects allegedly  went to a home with robbery plans in response to a diamond ring offered for sale on the site. After a violent exchange, police say, homeowner James Sanders was shot and killed while his wife and child looked on.  All four suspects are now in custody awaiting trial.

Craigslist robberies are so common that Trench Reynolds, who hosts an anti-Craigslist site named CraigsCrimeList.org, chronicles them in a "robbery" category.

Reynolds said robberies that originate with a Craigslist contact have remained fairly constant during the past several years, but are only now attracting media attention.

"They don't always result in someone getting shot in the face like in Ohio, but they are fairly frequent," he said.

The Perfect Crime?
In some ways, a robbery arranged on Craigslist is the perfect crime. Whether the mark is buying or selling the item, he or she arrives at a meeting with either a wad of cash or something valuable. Such meetings often involve the disclosure of much personal information, including phone numbers and home addresses. A clever robber may even persuade the potential victim  to disclose tidbits like work schedules or number of adults in the household at a given time.  And while most consumers are now appropriately skeptical of e-mail from criminals, many let their guard down when a person-to-person meeting is arranged, experts said. 

In addition, many users mistakenly believe it's safe to meet buyers or sellers in their homes -- which provide no safety if three or four thugs arrive armed with weapons.

"I tell people, invite them to meet you at the police station. We're open 24 hours. If they won't do that, then don't bother with them," said Bogota police Sgt. Robert Piterski, who is investigating the robbery of Michael's MacBook. "But many people just don't get it, don't realize how dangerous this can be."

Increased use of Craigslist for robberies may simply represent the coming-of-age of a generation of criminals who grew up using the Internet, so-called "Digital Natives" using familiar tools to commit crimes.  After a string of incidents in Chicago, police Detective Joseph McGuire said the crime occurs "where a thug meets a white-collar education."

Digital trails, but little risk
You might think the crime would be risky for the criminals. After all, many leave behind a digital trail of e-mails, Craigslist posts and telephone calls that could be traced by law enforcement.  While that's true, such cybersleuthing is rarely done by local police, said Mark Rasch, former head of the Justice Department's Computer Crime Unit.  The word is out, at least in some towns, that criminals don't have to worry about being tracked through cyberspace.

"A lot of these towns don't have the training or the manpower to do that kind of work," said Rasch, now head of privacy at security firm CSC.  And while clever criminals could hide their Internet tracks, they usually don't bother. "They rely on the fact that police lack subpoena power and technological sophistication," Rasch added.

 Also, getting a subpoena from the local district attorney is usually a bridge too far in small-ticket property crimes, he said.

Officials at Craigslist sent an e-mail in response to questions about the incidents.

"The overwhelming majority of Craigslist users are trustworthy and well-intentioned," said spokeswoman Susan MacTavish in the note.  "With billions of human interactions facilitated through Craigslist, the incidence of violent crime has been extremely low."

Rasch also said  consumers "can't really blame the Internet," for these kinds of crimes. Suspects could just as easily post or browse similar ads in newspaper classified ads section, he noted.

RED TAPE WRESTLING TIPS
Craigslist has posted a list of tips available to consumers who engage in transactions. It includes typical advice, such as meeting in a public place and letting family or friends know about the transaction.

Rasch has additional ideas for consumers, though he cautions: "None of these is  fool-proof."

"The trick is to get as much information from the other party as you can without giving up much on yourself," he said.  He recommends getting multiple e-mail addresses, Twitter accounts, Facebook pages and phone numbers. Then, spend some time on Google backgrounding the person.  Take the first part of an e-mail address -- such as the "bob1234" part of bob1234@gmail.com -- and Google that, which will often unearth alternate e-mail addresses.

"Anything to establish their identity," he said.  "You can corroborate that this is a real, legitimate person that way. Real, legitimate people have online personas, they have a history. Or you can tell if an e-mail address was just created yesterday to facilitate a crime."

Once contact is made, conduct as much business as possible online, he recommends, to create a digital trail and leave evidence in case something goes wrong.

"That will enhance your security," he said.  The more elaborate and firm your requests, the more likely a criminal will simply move on to another mark, he pointed out.

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Times are tough -- even for cybercriminals.  Online merchants in the U.S. and Canada report a dramatic 18 percent drop in fraud, down from $4 billion in 2008 to $3.3 billion this year, according to a survey by the security firm CyberSource. Meanwhile, the fraud rate of 1.2 percent of all sales is the lowest in the 11-year history of the survey. Even among international orders, traditionally the bane of Web sites, fraud rates plummeted by 50 percent.

The news comes just in time for Web shoppers who are pulling out their credit cards and wondering about the safety and security of online holiday gift shopping.

"We were surprised," said Doug Schwegman, CyberSource's director of market and customer intelligence. "Internally people were thinking that with the recession, fraud would go up, that there would be more people out there with technical skills who needed to put food on the table. But it looks like the merchants stepped up to the plate and got their act together."

Schwegman said the recession may actually have helped Web site fraud departments in two ways:  prompting online firms to implement tighter fraud controls to chase down every dollar during the tough economy and giving computer security professionals at these Web sites a chance to catch their breath.

"They've been dealing with double-digit growth for years and when the market slowed down they were able to catch up a little bit," he said.

But new technologies undoubtedly contributed to the fight against fraud.  This year, a relatively new technique called device fingerprinting, which can make life very difficult for would-be credit card thieves, took hold in the marketplace.

Device fingerprinting goes far beyond cookies and IP addresses to identify users, employing software to examine a variety of unique identifiers on computers used to order products. These range from the version of Flash software stored on a computer to the time and date stamp of the installed Web browser and the version of BIOS used inside the machine.  Combining these characteristics, the software can positively identify computers with accident rates as low as one in 1 million, Schwegman said.

The technique is chiefly used to identify criminals who are placing numerous orders with multiple credit cards using a single computer. Traditionally, criminals could use proxy servers or other evasive techniques to place multiple fraud orders when using a cache of stolen cards. Now, it's relatively easy for Web sites to spot multiple orders coming from the same machine.

Other anti-fraud techniques are common too, including geo-location, which uses IP address to determine a customer's location (used by 52 percent of large merchants); telephone number reverse look-up (33 percent); and shared "negative  lists" of attempted frauds among merchants (23 percent).

CyberSource

Despite the apparent success, there's little cause for celebration, Schwegman warned.  This year's cybercrime dip could be an anomaly.

"It's kind of an arms race. It could be things will bounce back next year (for criminals)," he said.

And there is another more discouraging explanation for lower e-commerce fraud rates: Serious computer criminals have moved beyond basic credit card fraud to more sophisticated account creation fraud that allows them to steal money directly from banks.  So-called "new account fraud is not counted in the CyberSource survey, Schwegman said.

Kevin Haley, director at Symantec Security Response, said this migration could explain why merchant fraud was down but overall cybercrime activity spiked, according to Symantec research. Clearly, he said, cybercriminals haven't gone away.

"In general we're seeing 2009 as a pretty bad year from a security standpoint," he said. "Record levels of spam, a nine fold increase in malware sent through e-mail.  The rises we saw in the things we track are astronomical."

The price of stolen credit cards in the underground economy was flat, however, supporting CyberSource's research that that Web site fraud is no longer the sexy part of cybercrime.

And there's more sobering news -- fraud rates remain abysmal among online electronics, Schwegman said.  Electronics sellers still turn down one order of every 18 they receive, the CyberSource survey found, a rate that's consistent with past years and double that of other merchants. Turning away fraud is good, of course.  But with high order rejection rates, there’s always some babies thrown out with the bath water – the more rejections, the more legitimate orders and the more lost sales.

Meanwhile, heavy losses also hurt consumers, in two ways: through higher prices and more hassles at the checkout counter.  When a site suffers fraud, it conducts more "manual reviews" of orders, which can slow down the purchasing process. Consumers who wish to buy Christmas gifts and have them shipped to the recipient can find they face far more questions when the shipping address and credit card billing address don't match.

Still, despite the caveats, the drop in overall fraud is meaningful, Schwegman said.

"The fraud rate was stable for so long, and we are very careful with the methodology, so we think it's significant," he said.  "This isn't a battle that can ever be won outright. But we're certainly going to make life difficult for the bad guys."

The CyberSource survey involves both customers and non-customers of CyberSource security products; it involved 352 responses from Web sites representing more than $60 billion in annual online sales, and was conducted by Mindwave Research.

RED TAPE WRESTLING TIPS
Consumers shopping online for the holidays should be heartened by survey results, as it appears online Web sites are gaining ground on criminals. If it becomes harder to use stolen credit cards, criminals will steal them less often.

But that doesn't mean shoppers don't have to be vigilant. The security gap between well-known, large e-commerce sites and niche sites continues to widen. So those surfing and buying at smaller Web sites should consider using old-fashioned purchasing tools, Schwegman said.

"If I'm shopping for a unique gift at a smaller site, that's when I would tend to use more secure payment methods, or maybe even place the order over the phone," he said.

Symantec's Haley pointed out that, despite years of work battling the problem, phishing remains the number one threat to consumers during the holiday season. The frequency of e-mails from retailers offering consumers receipts or shipping status updates creates a fertile ground for hackers to send fake e-mails soliciting personal information.

"We'll see things around the Christmas seasons, like e-mails that claim to be from a department store they may really be doing business with," he said. "Users can be tricked to click on a link and give up their credentials. People should be more wary of that kind of attack during this season."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.