Back in the good old days of the Internet, the hacker was a teenager motivated by high-tech pranks and bragging rights. Today, the online thief could be anyone with ‘Net access after a quick buck.
“Hacking has escalated from a destructive nature to financial gain through phishing, targeting people for bank account details, and siphoning accounts from there,” says Derek Manky, security researcher at Fortinet.
“It’s a very sophisticated ecosystem, with organizations and services for hire,” he continues.
“There’s a lot of money floating around, a lot of people involved. Once the infrastructure and networks are in place, you start building that foundation, which can be further leveraged and taken to next level: denial of services, cyber warfare, espionage.”
In the Web 2.0 world of ubiquitous, seamless, horizontal communication, information wants to be free. But just as easily as it can be uploaded, downloaded and shared, it can be accessed and exploited by individuals with a different agenda.
While online communities in particular continue to grow through friendly social networking sites, underground cybercrime syndicates continue to thrive on these on-screen relationships based on sharing and trust.
And with social engineering the hottest commodity on the phishing market, it’s a question of knowing what literally what makes people click.
Topping the most-wanted list, an organization dubbed Rock Phish is reputedly responsible for more than half of all phishing sites worldwide. In addition to its proven technical prowess, part of its success can be attributed to baited hooks written in perfect English — as well as French, German and Dutch — with always impeccable counterfeit design of brand logos and styles.
After yesteryear’s scams for Nigerian bank transfers, today’s spam 2.0 and its associated army of malware (“malicious software” such as viruses, worms, Trojans and keystroke loggers) are much less obvious.
On the dark side of the Internet, white-collar cybercrime lords operate specialized Internet Relay Chats and Web forums, laundering the money through mules in front companies.
These executive brokers buy stolen data from spammers and phishers, who rent time and service from bot-herders on their botnets (“robot networks” of zombie computers) connecting thousands of PCs, which then spam the malicious e-mails to the unsuspecting user.
Meanwhile on the Web, the same brokers may pay programmers to write malware and hackers to break into sites. The hackers can then implant the malware or steal e-mail addresses and other ID info to sell to the spammers.
At the same time, malware “ad” scammers pay sketchy sites to serve their malicious adverts, while hackers and spammers hire criminal or otherwise irresponsible ISPs to host their malevolent servers and traffic.
Of course, with a consolidated solution for unified threat management, that booby-trapped e-mail should never make it to your inbox.
And where there’s volume in numbers, it pays not to be greedy. As the legend goes, the boy who lifts a penny out of one million accounts still gets away with $10,000, using virtually no effort once the mechanism is in place.
Billions, not millions, lost to fraud
According to the Javelin Strategy & Research 2008 Identity Fraud Survey Report, identity fraud and theft totaled $51 billion in the U.S. over the past year, after peaking at $58 billion in 2006.
On the international crime scene, one arrested spam organization alone reportedly generated $40 million in a single year.
“Stolen credit card data can sell for pretty cheap, like $5 to $10,” says Manky, “but more targeted, sensitive data can bring in massive amounts. A coveted online gaming account can sell for up to $1,000.”
“These criminals can upset the commercial relationship between Internet-based businesses and consumers,” says Jens Andreassen, Fortinet’s Vice President in Asia-Pacific. “They can compromise the whole credit system and can certainly also inflict significant personal losses for individuals.”
From Manky’s perspective, the next big threat is targeted attacks on high-level executives at corporations with well-padded bank accounts.
“They can employ a way more efficient targeted attack, similar to the localized attacks on online gaming, and walk away with a lot more money,” he remarks.
The mobile threat may be relatively minor for now, but as cell phones become increasingly integrated with desktop environments, the line of safety is blurring.
“We’ve already seen one crossover virus capable of hopping over from the Symbian OS platform on smart devices to Windows on a PC,” says Manky.
Popular remote applications such as widgets, Active X and codecs needed to decrypt video are more potential purveyors of malicious code created by third-party developers and hosted by a trusted name, such as Facebook or Blogger.
Technical ‘arms race’ heating up
Meanwhile, the technical arms race between cyber-criminals and security professionals has escalated.
Many bot-herders are advanced techies operating in developing countries with large populations such as Russia or China, sending out attacks with names such as Canadian Pharmacy, hiding phishing links in images and viruses in spreadsheets, and registering a series of phishing sites with similar names.
Many organizations use a fast-flux network of shells, making it harder to track malicious Web traffic to its source.
“Bot-herders and other ‘spam kings’ are difficult to track down, especially in so many different jurisdictions and areas around world, with no enforced policies against them,” Manky observes.
“In this situation, it’s really a matter of knowing your enemy — and it’s a refining process at that.”
On the benevolent side, intelligence arsenal including the Honeypot are helping researchers to learn more about the malicious activity going on in the cybersphere.
“It’s like plugging an unpatched computer into the Internet,” says Manky.
“It’s vulnerable to attacks, just like in the real world. Then it generates alerts based on virus activity and monitors it in real time. It allows us to gain information, and to see the enemy’s next move.”
Other initiatives, such as the large-scope Operation Bot Roast — an active campaign to track down botnets, find operation control centers and the organizations behind them — have been only partially successful, as several holes remain in the overall infrastructure.
E-mail services, ISPs, registrars, search engines and software makers are also vulnerable to attacks and sometimes reluctant to cooperate in the fight against cybercrime.
“That’s how these guys stay alive,” insists Manky. “Registrars are often not cooperative when we try to take down names for phishing and malware hosting. We spend most of our time trying to mitigate the threat, finding out what’s going on with malware and reporting to the authorities.
“What’s interesting now is the amount of coordination that can be achieved between the researchers, the security industry and other authorities working at these levels in a collaborative effort to take down the bad guys.”
And the anti-crime effort goes all the way down to the individual.
“The biggest fear,” says Andreassen, “is not being aware of what’s out there.”
See Related: BUSINESS