Virtual Criminology

8/9/2019 Virtual Criminology

1/24

MCAFEE VIRTUALCRIMINOLOGY REPORT

ORGANISED CRIME AND THE INTERNET

December 2006

McAfee 2006


2/24

01

CONTENTS

INTRODUCTION

SECTION ONECYBERCRIME: A NEW GENERATION OF CRIMINALS

SECTION TWOHI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

SECTION THREETHE INSIDERS: THE NEW THREAT TO CORPORATES

SECTION FOURFUTURE CHALLENGES

REFERENCES


3/24

In 2005, the McAfee Virtual Criminology Reportrevealed how European cybercrime had expandedfrom geeks in their bedrooms to organisedcybercrime gangs.

The McAfee report, the first to examine organisedcrime and the Internet, highlighted how old-stylecrime gangs were going hi-tech and replacingbaseball bats with botnets to carry out systematicand professional cyber crimes.

A year on and cybercrime represents the fastest-growing category of crime globally.

Cybercrime is no longer in its infancy, it is now bigbusiness. Organised crime is capitalising on every

opportunity to exploit new technology to performclassic crimes such as fraud and extortion to makemoney illegally. And they are targeting businessesand individuals alike.

Organised crime gangs may have less of the expertiseand access needed to commit cybercrime but theyhave the financial clout to buy the right resources andoperate at a highly professional level.

NEW GENERATION GROOMED FOR CYBERCRIME

The new research reveals how organised crime isgrooming a new generation of high-flyingcybercriminals using tactics which echo those

employed by the KGB to recruit operatives at theheight of the cold war.

TEENS AS YOUNG AS 14 ATTRACTED BY CULT OFCYBERCRIME

The study also reveals how internet-savvy teens asyoung as 14 are being attracted into cybercrime by thecelebrity status of hi-tech criminals and the promise ofmaking money without the risks associated withtraditional crime.

FROM BEDROOM LONERS TO COMMUNALCAFES

The report examines how cyber criminals are movingaway from bedrooms and into public places such asInternet cafes and Wi-Fi enabled coffee shops.

Experts across the globe recognise the growth ofcybercrime. Dave Thomas, Section Chief, FBI CyberDivision, says If you have people reading in themedia that other people are making a lot of moneyfrom cybercrime and if they have criminal intent then they are definitely going to also take that path.

The threat of cybercrime to businesses and individualscontinues to increase at a staggering rate. In July2006, McAfee researchers reported that over 200,000online threats had been detected. It took 18 years toreach the first 100,000 (2004) and only 22 months todouble that figure. McAfees researchers expect it todouble yet again in a similar timeframe. Organisedcrime has realised the potential of making moneythrough the Internet as we move forward into ourcyberworlds.

Commissioned by McAfee and with contributions fromRobert Schifreen, expert author of the best-sellingbook Defeating the Hacker, law enforcement agenciesand cybercrime experts across the globe, the secondMcAfee Virtual Criminology Reportshows how hi-tech

crime is developing and looks into the future threatthis activity poses to home computers as well as togovernment infrastructure and corporateorganisations.

INTRODUCTION

GREG DAY, MCAFEE SECURITY ANALYST

Its been dubbed Web 2.0 or the internets secondwave. Millions of people are now harnessing theinternet to network with each other socially, create

and share content and buy products and services ineven greater amounts. So too is organised crime.

Organised crime is seizing the potential of the digitalspace we live our lives through today for financialgain.The increasing take-up of broadband and newtechnologies such as voice over internet (VoIP) servicespresent new opportunities for hi-tech criminals.

Cybercriminals are not standing still either.

They are developing faster, stealthier and moreresilient methods such as ransomware to target newand unsuspecting victims such as home PC users andsmall businesses.

The security industry has also not stood still. Today,global viruses like Mydoom and Sober are no longereffective means of causing mass infection. Socybercriminals are using more subtle and sophisticatedmethods that are harder to detect. As such, proactiveprotection is becoming imperative it is the only wayto offer users absolute confidence.

As the largest dedicated security company in theworld, McAfee is at the forefront of enablingconsumers and businesses to better understand therisks they face online - showing them the best waysthey can take a proactive approach to securing thethings that matter most to them, including theiridentity and personal belongings such as digitallyarchived photos and music.

McAfee has worked with leading hi-tech enforcementexperts and agencies across Europe and the US overthe past five months to reveal its second study intoorganised crime and the Internet. The studyunderlines how vigilant we should all be as newtechnologies propel our usage of the Internet but alsoprovides new opportunities for hi-tech criminals.

02


4/24

03

Governments, companies and enforcement agencieshave intensified their efforts to bring hackers andother malware authors to justice over the last year.The publicity surrounding high profile court cases andcybercrime activity has thrust cybercrime into themedia spotlight and heightened public awareness.

At the same, time its never been easier to commitcrime online. Opportunity is everywhere and as aresult the threat of cybercrime is now omnipresent.

Old-style criminals are driven largely by a desire tocause harm or make money. Rarely will a criminal roba bank, mug a stranger or kidnap a person to make apoint or to see how easy it is to do. Conversely, theInternet has prompted all manner of rogue behaviour some out of intellectual interest and curiosity butmost because the opportunity and financial incentiveis there.

The number one motivator is opportunity. Whateverthe underlying motivation, be it financial orotherwise, if they have the opportunity they cancommit the crime. Take away the opportunity and themotivation becomes less important. People dont

spend enough time exploring why potential criminalshave the opportunity to commit crimes in the first

place.Professor Martin Gill - Director of Perpetuity Research andConsultancy International and a Professor of Criminology atthe University of Leicester

SECTION ONE

CYBERCRIME: A NEW GENERATION OF CRIMINALS


5/24

04

CASE STUDY: THE CULT-LIKE STATUS OFCYBERCRIMINALS GARY MCKINNON

Gary McKinnon was indicted by a US court inNovember 2002, accused of hacking into over 90 USMilitary computer systems from the UK. Gary faces upto 70 years in jail but has a huge online following ofpeople trying to get him out of jail and/or protestinghis extradition to the US for trial and punishment.Many people believe he should be tried in England

and serve his time in the UK.http://freegary.org.uk/

Gary claims his inspiration to become a hacker camefrom watching the movie WarGames when he was 17years old. He thought, Can you really do it? Can youreally gain unauthorised access to incrediblyinteresting places? Surely it cant be that easy. And sohe gave it a try.

SPOTLIGHTING CYBERCRIME

Defcon, the annual hacker gathering in LasVegas: Attendees were encouraged to hack theirentrance badges

The Blackhat Security Conference: Microsoftencouraged hackers to take their best shot at its newoperating system, Windows Vista

Hack in the Box labelled as the most intimate ofthe hacker conferences

CULT-LIKE STATUS OF CYBERCRIME

If you have people reading in the media that otherpeople are making a lot of money from cybercrime and if they have criminal intent then they are

definitely going to also take that path.

Dave Thomas, Section Chief, FBI Cyber Division

As a result, cybercrime has established a cultfollowing, with online offenders rising almost tocelebrity status within hacking communities.

Virus writers, hackers and other malware authors havewell-publicised conferences and seminars where theyshowcase their methods to highlight potential securityissues. But as well as revealing potential security issues,they also expose vulnerabilities and the opportunityfor criminals and black hat activities.



6/24

05

FROM INQUISITIVE TO INCRIMINATING: HOWYOUNG TEENAGERS FALL INTO CYBERCRIME

Many young people are first enticed into cyber-criminality by intrigue, by the challenge and by thepromise of getting something for nothing. Some areaware of their illegal actions from the start; othersedge slowly toward the murky underworld fromseemingly innocent beginnings.

Young hackers and script kiddies get involved on thesmall scale and it steamrolls from there. They startwith very simple tasks but move quickly to accessingcredit cards and other money-making schemes. The FBIfocuses a lot on attacks and criminal networks comingout of Eastern Europe. Many of these cybercriminals

see the Internet as a job opportunity. With lowemployment, they can use their technical skills to feedtheir family. Cybercrime becomes an occupation.


Newsgroups, forums and Internet cafes are full ofpeople looking for information and passwords.Initially, their aim is fairly harmless and many do nothave aspirations of being a serious cybercriminal - theyare only password-hunting because they wish to hackinto a computer program to see if they can, to seehow it works or access a game which is protected.

However, other hackers and malware authors freelyexchange tips in online forums and feed beginners theknowledge to hook them in. The typical hacker isbetween 14-19 years old.

1

For many, the thrill of the challenge and thecommunity is too tempting a scenario to resist. Just asa drug addict enjoys their first high and increasinglylooks for the next fix, so too does the lure of the nextcyber-scam prove addictive and all too easy if youknow where to go for advice. That addiction grows asthe stakes become higher and organised criminals payyoungsters to execute their extortion scams. As aresult, cybercrime amongst teenagersis rising.

Once an amateur hacker becomes more proficient atcompromising systems, it is easy to realise that theycan make money doing so (for example: renting outbots or leasing out slots to send spam). At the sametime, criminals pro-actively recruit people for theirtechnical jobs. Those people may not know what theyare really getting involved in.

Erik de Jong, Project Manager, Govcert.NL

CASE STUDY: FROM INQUISITIVE TOINCRIMINATING

By the age of 20, Shiva Brent Sharma had amassed inexcess of $150,000 of cash and merchandise reapingthrough computer crime. When he was arrested forthe third time for identity theft, he claimed he couldearn around $20,000 in a day and a half. An addictionto the challenge and to the reward, he fears thatwhen he finishes serving his two to four year prisonterm, hell relapse and start tapping into onlinewallets again.

From a middle-class family background and theyoungest of three children, Sharma was alwaysbattling for access to the Internet. His criminal

activities started when he began regularly visiting siteswhere users from all over the world met to swap tipsabout identity theft and to buy and sell personalinformation. The tricks and techniques he learnedthere enabled him to undertake his variety of scams.

He began with phishing, then dealt in bootlegsoftware before ultimately moving on to buyingstolen credit card accounts online, changing theinformation and sending the money to himself.

Sharma never could provide a clear reason for hiscrimes. At times he claimed it was simply a game topass the time, whilst at others he implied it was amore focused attack against the banking industry.

Well, you know I mean theres no justificationbehind it at all. You know it was wrong and I did it it was wrong.

2



7/24

06

WWW.HOWTOHACK.COM

The availability of tools online has assisted thegrowth of cybercrime. The complexity of tools has alsoincreased. For example: creating ones own bot and

setting up a botnet is now relatively easy. You dontneed specialist knowledge, but can simply downloadthe available tools or even source code. In general,

you see that tools that were once only available to a

privileged group of specialists become available tothe general public over time.

Erik de Jong, Project Manager, GOVCERT.NL

Its never been easier to commit cybercrime. Theresmore opportunities and more information on how toget started with just the click of a mouse.

Within seconds of searching online, anyone of any agecan access numerous sites and information on hackingand other cyber scams.

While the vast majority of content online has fostereda sprit of enterprise and sharing of information andknowledge for good, it has made it easy for

impressionable young teenagers, and those peopleintent on making money, to find the tools to getstarted in cybercrime.

The tools necessary for spamming and phishing areeasily accessed and publicly available on the Internet.Companies sell lists of email addresses at $39.95 permillion for multiple use.

3Compare this with the going

rate of 20p per name for conventional mailing listsfrom reputable firms for just one-time mailings and itis easy to see the opportunity for criminals. Once theyhave the addresses all they have to do is send theloaded email and engineer the welcome messagethat will get consumers to open it.

Hacking tools have been available on-line for someyears now. Criminals often will adopt and put them toillicit use. Despite this, we continue to arrest and

prosecute those who seek to engage in computercrime.

Robert Burls MSc, Detective Constable, Metropolitan PoliceComputer Crime Unit



8/2407

HOW ORGANISED CRIME IS GROOMING THENEXT GENERATION OF CYBERCRIMINALS

Cybercriminals need not only IT specialists theyneed people that can launder money, people that can

specialise in ID theft, someone to steal the creditnumbers, then hand it off to someone who makesfake cards. This is certainly not traditional organisedcrime where the criminals meet in smoky back rooms.Many of these cybercriminals have never even metface-to-face, but have met online. People are openlyrecruited on bulletin boards and in online forumswhere the veil of anonymity makes them fearless to

post information.


Although organised criminals may have less of theexpertise and access needed to commit cybercrimes,they have the funds to buy the necessary people to doit for them.

In an echo of the KGB tactics employed during thecold war to recruit operatives, organised crime gangsare increasingly using similar tactics to identify andentice bright young net-savvy undergraduates.

Organised crime gangs are starting to actively recruitskilled young people into cybercrime. They areadopting KGB-style tactics to recruit high flying IT

students and graduates and targeting computersociety members, students of specialist computer skillsschools and graduates of IT technology courses.

At the height of the cold war, potential KGBoperatives were often identified by skimming trade

journals for expert names, checking trade conferencesattendees or were approached out of the blue onuniversity campuses.

In the words of former KGB Maj. Gen. Oleg Kalugin:

If you can find a young person, perhaps a student,before his opinions have fully matured, then makehim truly believe in your cause, he will serve you formany years.

4

In some cases, organised crime gangs are going evenfurther to sponsor eager would-be hackers andmalware authors to attend information technologyuniversity courses to further their expertise. Criminalsare also earmarking university students from otherdisciplines and supporting them financially throughtheir studies with a view to them gaining employmentwith, and inside access to, target organisationsand businesses.


CASE STUDY: POTENTIAL TARGETS OFCYBERGANGS

In June 2006, researchers surveyed 77 computerscience students at Purdue University, USA, using ananonymous, web-based questionnaire. Students wereasked whether they had indulged in one of severaldeviant computer acts, some of which could beclassified as illegal.

These activities were guessing or using anotherpersons password, reading or changing someoneelses files, writing or using a computer virus,

obtaining credit card numbers and using a device toobtain free phone calls.

The number of IT students who admitted to suchbehaviour was high. Of 77 students, 68 admitted toengaging in an activity that could be classified asdeviant.

5


9/24

THE INNOVATORS

Who? Focused individuals who devote their time to finding security holes in systems orexploring new environments to see if they are suitable for malicious code

Why? The Challenge

How? Embrace the challenge of overcoming existing protection measuresand seek to break in through the back door

Danger Rating: Low

These purists, the elite threat authors, only make up 2% of the hackingand malware author population

THE AMATEUR FAME SEEKERS

Who? Novices of the game with limited computingcapabilities and programming skills

Why? Hungry mainly for media attention

How? Use ready-made tools and tricks

Danger Rating: Moderate

Threat lies in the unleashing of attacks withoutreally understanding how they work

THE COPY-CATTERS

Who? Would-be hackers and malware authors

Why? The celebrity status of the cybercrime communityhas prompted an upsurge of those desperate to replicate

their formulae for fame

How? Less focused on developing something newand more interested in recreating simple attacks

Danger Rating: Moderate

THE INSIDERS

Who? Disgruntled or ex-employees, contractors and consultants

Why? Revenge or petty theft

How? Take advantage of inadequate security, aided by theprivileges given to their positions within the workplace

Danger Rating: High

This group is a growing and serious security problem

THE ORGANISED CYBER-GANGSTERS

Who? Highly motivated, highly organised, real-world cyber-crooksLimited in number but limitless in power

Why? Intent on breaching vulnerable computers to reap the rewards

How? Like in most communities of successful criminals, at the centre is a

tight core of masterminds who concentrate on profiteering by whichever meanspossible but surrounding themselves with the human and computer resources to make

that happen

Danger Rating: High

FROM PURISTS TO PROFITEERS:THE CYBERCRIME FOOD CHAIN

Perpetrators of cybercrime today range from theamateurs with limited programming skills who rely onpre-packaged scripts to execute their attacks, rightthrough to the well-trained professional criminals whoare armed with all the latest resources.

08


10/2409

COMPARISONS BETWEEN REAL WORLD YOUNGOFFENDERS AND CYBERCRIMINALS

Criminals are exploiting the fact that the cyber-worldrepresents a vast domain of global opportunity withvirtually no barriers and little risk of detection andpunishment. A US Treasury advisor has stated that

more money is now made from cybercrime than fromthe traditionally high revenue-yielding drugs industry.

6

Whilst law enforcement agencies are working hard tocombat the cybercrime threat, in the opportunityversus risk versus reward ratio, online crime iscurrently proving more appealing to serious criminalsthan traditional organised crime.

PROFILE OF A DRUG-COURIER:

NAME: AGE:Scott Rush 19

MOTIVE: METHODS:Money Drug trafficking. Caught

couriering heroin fromAustralia to Bali

REWARD: RISKS AND1.3kg of heroin PUNISHMENTS:with a street Also on charges of fraud,value of $1m theft and drink-driving,

Scott was sentenced tolife imprisonment. Onappeal this was upgradedto the death sentence.


PROFILE OF A BOTNET AUTHOR:NAME: AGE:Jeanson James 20Ancheta

MOTIVE: METHODS:Money Used trojan horse to

infect and controlcomputers before sellingto adware, spyware andspam companies

REWARD: RISKS AND$0.15 per install PUNISHMENTS:$3,000 per botnet James was the fi rst botnet$60,000 in 6 months author ever to sentenced, inand over May 2006. He got four years$170,000 in total in prison.


11/24

10

Online crime has changed dramatically in recent years.The previously common and global virus events arenow all but a thing of the past. In the first half of2004, 31 virus outbreaks were rated medium andabove. The second half of 2004 saw 17 more. Thatnumber fell to 12 for the whole of 2005 and in 2006there have been no outbreaks of comparative severity.

The focus has turned towards altogether stealthier

and more targeted means of attack.Cybercriminals are refining their means of deceit andthe victims they are targeting. Evolving theirtechniques and targets allows them to stay one stepahead of detection.

KEY TRENDS OVER THE PAST YEAR INCLUDE:

Moving away from bedrooms and into publicplaces to avoid detection

Exploiting the new online social networkingexplosion

Targeting identities by employing new

techniques such as spear phishing Targeting new technologies mobile phones

and devices

Targeting individuals and small businesses

Criminal collaboration and the creation ofmalware mafia families

FROM BEDROOM LONERS TO CAFE CRIMINALS

The stereotypical view of lone cybercriminalsoperating out of their bedrooms is no longer a validone. Nowadays, they are to be found right in thepublic eye. But rather than opening themselves up fordiscovery they are covering themselves with aninvisible cloak.

Hackers and malware authors traditionally workedfrom the hidden depths of their homes because theyneeded access to a telephone line for modem-to-modem communications. But the Internet, itspopularity and its pervasiveness, has changed all that.They can access the Internet in a cybercaf, university,library, telephone kiosk, from a PDA or mobile phone or even by stealing bandwidth from any unprotectedWi-Fi network that they happen to be parked near to.

By using the Internet in a public place, cybercriminalsmaintain crucial anonymity and avoid detection. ManyInternet cafes clean their computers by automaticallyrebooting the machines and wiping all non-standardfiles between each customer. Anonymity is key and

tracks are more easily covered from a public location.

COVERT COMMUNICATIONS IN PUBLIC SPACES

Following the explosions in London on 7th July 2005,the National Hi-Tech Crime Unit (NHTCU) contactedJANET, the Joint Academic Network, which connectsUK universities, colleges and schools.

The NHTCU suspected that the terrorists used atelecommunications system in the planning andexecution of their attack, and that universities mayhave information on their networks that could assist inits investigations. The NHTCU requested that all databe preserved.

SECTION TWO

HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITINGFROM THE INTERNET


12/24

11

SOCIAL NETWORKING: HOW CRIMINALS ARETARGETING THE WEBS SOCIAL NETWORKINGEXPLOSION

Since its beginning, the web has often been usedas a tool to meet new people, but over the lastyear the interaction between Internet users hasgrown dramatically.

Web 2.0, or the Internet model where content iscreated and shared, has given birth to some of themost popular websites the Internet has ever seen.

Sites like MySpace, Bebo, Friendster, Facebook and

LinkedIn (a site used for business networking) havefuelled the social networking trend.

Its a hugely powerful medium and people are juststarting to grasp how effective it can be to link withfriends, or potential business associates.

By their very nature, these sites are vulnerable tomisappropriation. There is a false economy of trust.People dont present personal information tostrangers in the street, but building profiles onlinemean that Internet criminals can instantly access amine of details names and interests, pets and lifestories. All of which help them to either take thoseidentities directly to defraud, or understandpersonalities to better and more effectively targetphishing or adware scams.

The inclusion of music on MySpace has been one ofthe biggest reasons for the sites success.

Unknown bands have demonstrated that socialnetworking sites can be an effective way of promotingthemselves. Artists like Lilly Allen and Arctic Monkeyshave used MySpace as a springboard.

SOCIALLY UNACCEPTABLE SCAMS ONMYSPACE

In October 2005, the Samy worm was discovered onpopular community site MySpace.com. By exploitingvulnerabilities in the MySpace.com site, the wormadded a million users to the authors friends list.Additionally, the malicious code would be copied intothe victims profile, so that when that persons profilewas viewed, the infection spread.

In summer 2006, a banner ad on MySpace

compromised almost 1.1 million computers. Whenusers opened the image, the hacker was given accessto the infected PC. The spyware installation programcontacted a Russian-language web server in Turkeythat tracked the PCs on which the programme hadbeen installed. The ad also attempted to infect usersof Webshots.com, a photo-sharing site.

MySpace was also subject to a phishing scam in 2006.The attack started when users were sent a linkthrough an instant messaging program. The link wasfrom someone in their contact lists, asking them toclick the link to MySpace to view photos. The link ledto a fraudulent MySpace login page. Once the victimentered their information, they were thentransparently logged into the real MySpace pages. Butin the meantime, all their log-in information becomethe property of the phisher.

SOCIAL ENGINEERING IN PUBLIC COMMUNITYSITES

Just like with social networking sites like MySpace, thevery openness of Wikipedia that allows users to freelyadd or edit available content has made it an attractivetarget for virus authors to plant malicious code inarticles.

In October 2006, a piece on the German edition ofWikipedia was re-written to contain false informationabout a supposedly new version of the infamousBlaster worm, along with a link to a supposed fix. Inreality, the link pointed to malware designed to infectWindows PCs.

An email was also mass spammed to German

computer users requesting them to download thesecurity fix. The email was crafted to supposedlyappear from Wikipedia, complete with an officialWikipedia logo.


But this also presents the perfect opportunity forcriminals to embed spyware and adware withindownloads, capable of compromising PCs, tracking onlinebehaviour or directing users to inappropriate content.Whole profiles can be developed for illegal purposes.


13/24

12

CONTEMPORARY SCAMS: HOW CRIMINALS ARETRICKING PEOPLE BY TOPICAL CROWD PLEASERS

Popular national and international news and sportsevents draw in the crowds but now they attract thecybercriminals too. Whether its via viral marketing, or

just plain viruses, a topical subject header, website linkor download is capable of reaping in the rewards.

The 2006 World Cup generated exactly this sort ofcriminal opportunity. Popular with millions world-wide, fans hunger for information proved insatiable.Viruses using related messaging circulated fast andfurious; and thousands frantically downloaded scorespreadsheets and screensavers giving criminals almostinstant and unsuspected presence on hundreds ofthousands of computers.

WORLD CUP WOES CRIMINALS 3: CONSUMERS: 0

Virus writers got themselves into a football frenzy

unleashing attacks attempting to cash in on sportssupporters. In May 2006, a trojan horse whichdisguised itself as a World Cup wallchart wasdistributed by spam email. It specifically targetedGerman speakers.

Another virus attack infected Microsoft Excel filescloaking itself as a spreadsheet charting the nationalteams participating in the World Cup.

An analysis of screensaver pages associated with theWorld Cup found that a high proportion of sites wereloaded with adware, spyware and maliciousdownloads. Among the teams, Angola (24%), Brazil(17.2%) and Portugal (16.2%) rated especially highly,while among the players, superstars Cristiano Ronaldoof Portugal, David Beckham of England andRonaldinho of Brazil posed a significant danger to

fans.IDENTITY THEFT: STEALING PERSONALINFORMATION TO DEFRAUD

There has been a dramatic increase in the collectionmethods used by criminals to steal personal identifierinformation.

Victims of identity theft-related malware lose ALL oftheir personal privacy and there is a high probabilitythey also lose substantial amounts of money. Theymight even be involuntarily involved in criminal actsthrough misuse of their

identity.

Christoph Fischer, General Manager of BFK edv-consultingGmbH



14/24

13

KEYLOGGING

Hackers use keylogger programs to silently collectkeystrokes from unsuspecting victims whose use ofonline chat rooms and instant messaging typeprograms makes them vulnerable. On activation, thehacker can collect any information that the user hasinputted online, including personal data used inonline transactions. A large proportion of this data istransmitted internationally to countries where it is

difficult for the law to intervene. The perpetrator thenuses that information to assume an identity and gainaccess to credit card accounts.

According to the FBI: Identity theft costs Americanbusinesses and consumers a reported $50 billion ayear, causes untold headaches for an estimated 10million US victims annually, and even makes it easierfor terrorists and spies to launch attacks against ournation.

1

As a result, in June 2006, the FBI joined corporate,academic, and government leaders in announcing a

new Center for Identity Management and InformationProtection (CIMIP) to combat the increasing threatthat identity fraud and theft pose to personal andnational security.

CASE STUDY: THROWING AWAY CONFIDENTIALINFORMATION

In April 2005, a hard drive of the police ofBrandenburg, Germany, showed up on eBay.Confidential police documents like internal alarmplans for extreme situations like hijacking andhostage-taking were fully accessible. There were also

lists of names on the hard drive showing the manningof crisis management groups, lay-outs, orders andanalytics: information which could be very useful on anumber of criminal levels, not least for terrorists.


CASH FROM TRASH

Cybercriminals are also cashing in with simpler tricks.People often have little realisation of the value of theinformation they just throw away. Criminals havesought out confidential information by rifflingthrough rubbish. Now cybercriminals have realisedthat when computers are dumped or resold, moreoften that not, they still contain a wealth of files anddata that can be used for financial gain or deception.


15/24

14

MIND GAMES: HOW CRIMINALS AREEMPLOYING INCREASINGLY DEVIOUS MEANS TOTRICK PEOPLE INTO HANDING OVER MONEYAND INFORMATION

While cybercriminals continue to churn out attacks onlarger institutions and en masse hits, the majority haveturned to subtler and more effective methods whichintroduce the mind games and social engineeringtechniques that unravel not only chunks of data but

entire identities.PHISHING FACTS

17,000 phishing reports per month in 20062

40% in non-English language3

90% of people still dont recognise well-constructed phish

4

Phishing - the act of sending an email to a user falselyclaiming to be an established legitimate enterprise inan attempt to scam the user into surrendering privateinformation that will be used for identity theft is onthe rise. But the nature of phishing attacks

isconstantly changing.Over the last year, McAfee has seen phishing emailsincrease by approximately 25%. Fraudsters continue totarget the high profile banks, financial institutions ande-commerce sites that they always have done butincreasingly they are changing the content of thephishing mails away from the update your detailsnow scams to a more varied and directed message.In addition to attacking these well known companies,fraudsters are increasingly targeting smaller European

and American financial institutions, and the targetsare changing almost daily.

While virus and worm epidemics have been reduced mostly as a consequence of improved tools fordetection and removal phishing and pharming havebecome predominant means of attacks, especiallytargeting banks.

Professor Klaus Brunnstein, University of Hamburg

The e-commerce phish has also become more directed.Much of the phish targeting popular online auctionsites appear as if they have been sent from anotheruser rather than from the auction site. For example,many of the phish nowadays are fake messagesclaiming that you bought an item and have not paid,or the other user has raised a dispute against you, or isenquiring about an item for sale.

In February 2006, the various update your accountinformation phish accounted for 90% of the ebayphish, and 10% were other types. Now it is less than50%.

A less high-profile attack comes with the growingnumber of spear-phishing messages. These look likethey have come from employers or colleagues whomight feasibly send IT communications and includerequests for user names or passwords. But the realtruth is that the email sender information has beenspoofed in an attempt to gain access to a companysentire computer system.



16/24

15

CASE STUDY: SMISHING

August 2006 saw the first example of a threat movingfrom the PC environment into the mobile space withan attack that started as a simple mass mailing wormbut was then turned into a SMiShing attack.

The threat targeted two major mobile phoneoperators in Spain, sending SMiSh messages freeof charge via randomly generated mobile phonenumbers through the operators email-to-SMSservice gateway and specifically targeting NokiaSeries 60 devices.

It attempted to trick the victim into downloading free

anti-virus software from the operator. Users thatdownloaded and installed the software from the linkfound themselves infected with malware.

Most of the code was in Spanish with someGerman comments, illustrating that cybercrimeknows no borders.


MOBILE THREATS: HOW CRIMINALS ARE

EXPLOITING NEW TECHNOLOGYSMiShing (phishing via SMS), is a recentphenomenon that takes the concept and techniques ofphishing via email and translates it to text messages.

Episodes of this activity have been minimal to date butthe nature of current attacks suggests that much of ithas been authored by script kiddies looking to takenew code to standard execution. Now SMiShing hasbecome part of the cybercrime toolkit, there will be aconsiderable rise in attempts over the coming months.

As we become more reliant on our personal mobiledevices outside of the home and office, SMiShingstands as a clear indicator that cell phones and mobiledevices will increasingly be used by perpetrators ofmalware, viruses and scams.

UPDATING OLD TRICKS SPAM BECOMESPICTURE PERFECT

Spam continues to remain one of the biggestchallenges facing Internet consumers, corporations,and service providers today - with the cost of spamimpacting bandwidth, delayed email, and employeeproductivity. Spammers continue to employ newtricks to avoid detection and open up new streamsof revenue.

Image spam has been significantly increasing and nowmany varieties of spam - typically pump and dumpstocks, pharmacy and degree spam - are now sent asimages rather than text. In October 2006, image spamaccounted for up to 40% of the total spam received,

compared to about 10% a year ago. Image spam istypically three times the size of text-based spam, sothis represents a significant increase in the bandwidthused by spam messages.

Traditionally, spammers have also used well-knowntop level domains (TLDs) such as .com, .biz or .info. Butnow, by using top level domains from small islandcountries, such as .im from the Isle of Man in the UK,spammers attempt to avoid detection by usingdomains previously unknown to spam filters. Thistrend has been nicknamed spam island-hopping.


17/24

16

PERSONALLY HELD TO RANSOM

In May 2006, Helen Barrow, a 40-year-old nurse fromRochdale in the UK, discovered her computer files hadvanished and had been replaced by one 30 digitpassword -protected folder.

She also found a new file named instructions on howto get your files back. On opening it, Ms. Barrow wastold that the password to unlock the encrypted foldercontaining her files would be provided following apayment for drugs from an online pharmacy. MsBarrow contacted police and an IT expert whomanaged to recover some of her files, which included

coursework for her nursing degree.

When I realised what had happened, I just felt sick tothe core, Helen said. I had lots of familyphotographs and personal letters on the computerand to think that other people could have beenlooking at them was awful.

Thankfully, the password for this particular attack wasmade widely available by security firms, but theunderlying trend is worrying.

GLOBAL BOTNET ARMIES

Botnets the jargon term for a collection of softwarerobots, or bots, which run autonomously.

BOTNET FACTS IRC BOTS grown from 3% 22% of all malware

(2004 2006)

Costs of protection can be more than ransom costs

By far the major emerging threats are Botnets andwe are also seeing more sophisticated malicious code.For example, some malware has the ability to deploykeystroke-loggers, harvest stored passwords and take

screen captures of infected hosts. These techniquescan enable criminals to obtain full identity profilesfrom victims as well as being able to potentially access

their financial and personal data.

Robert Burls MSc, Detective Constable, Metropolitan Police

Computer Crime Unit

In the 2005 McAfee Virtual Criminology Reportit wasrevealed how botnets were becoming the method ofchoice for criminals. Organised crime gangs werehiring script kiddies to deploy a large number ofasymmetric threats simultaneously on a business via itswebsite.

As predicted last year, there has been a significantincrease in botnets and they are now the preferredweapon of choice for cyber criminals, used for

phishing schemes, illegal spamming, stealingpasswords and identities and spreading pornography.At least 12 million computers around the world arenow compromised by botnets.


HOW HOME USERS ARE BECOMING A

FAVOURITE TARGET FOR CRIMINALSIn the 2005 McAfee Virtual Criminology Reportit wasrevealed how there had been a massive increase inextortion demands primarily targeting businessesreliant on the Internet for their business.

Using thousands of computers around the world thatwere infected with malicious code, the reportrevealed how criminals were able to marshal botnetsto bombard corporate websites blocking all genuinetransactions and communities also known as adistributed denial-of-service attack (DDoS).

The report highlighted how criminals had targeted

online gambling sites given the volume of transactionspurely online.

In 2005, the OCLCTIC (Office Central de Lutte contrela Criminalit lie aux Technologies de lInformation etde la Communication) investigated 48% morebusiness-related crimes than in the previous year. Thenumber of people accused and prosecuted increasedby 30%.

The increase in crime investigations can be explainedpartly by the rise in the number of criminal activitiessuch as blackmail, racism and extortion.

5

Today this kind of extortion and distributed denial-of-service (DDoS) attack using botnets are being used bycriminals on home pc users. Online blackmailers areincreasingly looking towards the easy pickings of therelatively non-savvy home pc user. With consumersstoring more and more documents of financial andsensitive value (banking details, work files) as well assentimental value (photos and music) criminals haverealised that they will pay up to have them restored.


18/24

17

CASE STUDY: THE INTERNATIONAL BATTLEAGAINST BOTNETS

A 63-year-old man in Suffolk, a 28-year-old man inScotland, and a 19-year-old man in Finland werearrested on June 27, 2006 in connection with aninternational conspiracy to infect computers usingbotnets. The Metropolitan Computer Crime Unit, theFinnish National Bureau of Investigation (NBI Finland)and the Finnish Pori Police Department collaboratedto arrest the men, who are all suspected of beingmembers of the M00P cybercriminal gang.

CASE STUDY: HACKER MARKETING

Majy, a hacker, was paid $0.20 per install oncomputers in the US and $0.05 per install oncomputers in 16 other countries including France,Germany and the UK.

He received income from a host of affiliate-marketingcompanies including TopConverting, GammaCash andLOUDcash.

Adware distribution is also a key example of just howinter-related cybercriminals are in todays world. Thevast majority of adware and spyware is thought to bethe result of one large, distributed but connectedorganisation.

Undercover criminal operations have seen manyadware-distributing companies often mutually linkedby agreements with varying degrees of secrecy andsome sites regularly change names, which meansthat money generated is high whilst detection isvirtually impossible.

CRIMINAL COLLABORATION & MALWARE MAFIA

FAMILIESOPEN SOURCE TECHNIQUES

The growth of bots is due to two factors - financialmotivation and the availability of source code.Without financial incentives, there would be far fewervariants. For example, the financially neutral Mydoomfamily has far fewer variants than any major botfamily. And without large-scale source-code sharing,we would not see the handful of massive families thatare evident today.

Bot authors are increasingly using open sourcedevelopment techniques, such as multiple

contributors, releases driven by bug fixes, paid featuremodifications, and module reuse. A virus or Trojan isusually written by a single author who has completecontrol of the features and timing of the releaseupdates. Bots, however, are different. Most bots arewritten by multiple authors.

The use of a professional development methodologyrepresents a critical change in malware evolution. Thisform of collaboration is expected to make botnetsmore robust and reliable - and being able to offercustomers a guaranteed ROI will cause the bot andoverall malware market to grow explosively within thenext few years.

Bots will continue to push the malwareengineering envelope.

ADWARE AFFILIATIONS AND FAMILIES

ADWARE FACTS

All major search engines return risky sites whensearching for popular keywords

Between 2000 and 2002, there were only about tenadware families. By May 2006, there were more than700 adware families with more than 6,000 variants

The most prolific distributors of adware are actuallystar/celebrity sites, not the commonly believed adultand pornography websites

Spyware and adware are usually made and marketedby legitimate corporate entities for specific advertising

and market research purposes. They install themselveson a users machine, often as the trade-off for a pieceof free software, collecting marketing data anddistributing targeted advertising.

However, the emergence of lucrative online affiliatemarketing models, whereby advertisers share revenuewith other websites which feature ads and contentdesigned to drive traffic to the advertisers site, hasopened up new opportunities. Hackers are abusingthe system by fraudulently taking money as anaffiliate, then hacking into computers without thepermission of the computer owner. By varying thedownload times and rates of adware installations,

as well as by redirecting the compromised computersbetween various servers, hackers can evade the fraud-detection of the advertising affiliate companies whopay them for every install.



19/24

18

Criminals cannot operate without opportunity. Thefast evolution of technology and the struggle ofconsumers and businesses to stay in step with the risksmean their prospects and profits are growing at arapid pace.

In terms of corporate IT security worries, top of the listright now is spyware as well as data theft usingdevices such as USB sticks. Viruses, firewalls and spamare, to a large extent, understood and under control.But detecting spyware centrally, and controlling theuse of USB sticks, is a real worry to companies bothlarge and small, from a theft and confidentiality point

of view.

One of the biggest challenges of todays data-richworld is making the most of technology. Technology

provides an opportunity for offenders and also anopportunity for crime prevention. I have great faith inthe technology but much less faith in humans in beingable to use it properly.

Professor Martin Gill - Director of Perpetuity Research andConsultancy International and a Professor of Criminology atthe University of Leicester

INSIDE THREATS

Most companies view security threats from an outside-in perspective. There are, however, significantemerging threats to security that are not beingintroduced from external, unknown sources, but fromemployees themselves.

Employee ignorance and negligence within theworkplace is opening up cracks for cybercriminals toexploit. Lack of security attention and awareness byemployees means there is a high risk of malware,viruses, worms and Trojans being spread to the worknetwork. It only takes seconds for an employee toattach an unprotected laptop or PDA to the worknetwork and seriously expose the whole environmentto infection. Few have any idea that their company

laptop may not have the latest security updates.Workers are also bypassing their company securityprocedures by attaching their own devices, such asiPods, USB sticks and digital cameras.

INSIDER FACTS

Nearly a quarter of European professional workersconnect their own devices or gadgets to thecompany network every day

Nearly a quarter of European workers use their worklaptop to access the internet at home

A staggering 42% of Italian workers let family and

friends use work laptops and computers to access theinternet

One in five Spanish workers download contentinappropriate content while at work

SECTION THREE

THE INSIDERS: THE NEW THREAT TO CORPORATES


20/24

19

CONFIDENTIAL AND COMPACT INFORMATIONTRANSFER

In 2006, an almost full 1GB flash drive of classified USMilitary information was apparently lost and later soldat an Afghani bazaar outside a US air base.

The flash memory drive, which a teenager sold for$40, held scores of military documents marked secret,describing intelligence-gathering methods andinformation including escape routes into Pakistanand the location of a suspected safe house there, andthe payment of $50 bounties for each Taliban or AlQaeda fighter apprehended based on the sourcesintelligence.

DATA LEAKAGE

A key threat for companies is the ease of which dataand information can be taken out of the company.Criminals are realising that unsecured removablemedia devices such as USB sticks provide an easymeans of carrying confidential and financially valuable

information out of the workplace.

Criminals are actively targeting employees orsponsoring under graduates. An insider puts a wealthof information in their hands, easily transferred andvirtually undetectable. They then hold the stolen datafor ransom or sell it to the highest bidder.

This threat is set to worsen with the emergence of U3sticks - if they are not secured. These new generationdevices can be booted from more easily and can carryinstalled applications that can be run directly from thestick, meaning that essentially it is possible to haveyour entire PC in your hand or someone elses.

CORPORATE ESPIONAGE:Corporate espionage is big business. Data is oftenpriceless property and can mean the make or break ofa company. Stealing trade secrets information orcontacts - is a lucrative money-spinner forcybercriminals. As well as exploiting data leakage vianew technologies and devices, criminals are findingnew ways to use keylogger programs to getpasswords, read email and keep track of a useractivity. Spyware writers are also using Trojans to

remotely access computers and execute code forinstant access to information.

We believe that targeted attacks will continue to

grow in number, both for businesses and governments(industrial and political espionage). Were seeing officeapplications combined with social engineeringtechniques being used as vectors in these.

Erik de Jong, Project Manager Govcert.NL

SECTION THREETHE INSIDERS: THE NEW THREAT TO CORPORATES


21/24

20

As long as client/server systems and basic Internetmethods remain inherently insecure, there is no hopefor a reduction in criminal activity.

Professor Klaus Brunnstein, University of Hamburg

The growing ingenuity of cybercriminals is a seriouschallenge for consumers, businesses and lawenforcement organisations. Like hackers, organisedcriminals are looking for the next new opportunityto exploit.

A lot of work is being done to educate users, focusingon increasing awareness and encouraging them to notbe duped into revealing personal information suchas passwords.

As broadband usage becomes ubiquitous, alwaysconnected means users are always at risk. As creditchip and pin becomes the standard, criminals will lookto ways it can fraudulently make money fromtransactions online.

The Internet is now common place for organisedcrime gangs.

McAfee believes the following are key IT security

trends for businesses and consumers to be aware of inthe next 12 months:

AVAILABILITY OF LOW-COST PCS

Unprotected or under-protected computers are thenew currency of organised crime. Most companies orconsumers who understand the value of the growingcontent on their computers will take somepreventative measures to ensure that it is protectedfrom prying eyes, loss or theft. But with advances in

technology and research progressing to buildcomputers and laptops at ultra low-cost, the incentivesto put those measures in place will likely beincreasingly overlooked, providing easy targets forcybercriminals to profit from identities andinformation stored.

RISING THREATS TO MOBILE DEVICES

Mobile devices present a serious challenge to datasecurity, with the growing power of connectivity, theincreasing volume of data stored on them and theenormous potential to infect both personal and

enterprise networks.

The growth of malware targeting mobile telephony isan area for concern. The numbers are still small ataround 300 and rates of growth are oftenexaggerated, but there can be no denying that thisfigure will grow. Examples of financially motivatedmobile malware have already been seen and when thephone becomes the standard means to transfermoney, the attack rates will explode.

Additionally, modern mobile phones (smartphones)are in essence miniature, portable computersand theybring with them all the same associated risks as thetechnology matures: viruses, spam, phishing (orSMiShing), and people stealing data from lost, stolen,recycled, or resold devices. Highlighted previously inthis report were the risks of data leakage and identitytheft via not wiping files effectively before disposingof a computer, but the same holds true of todaysmobiles which contain contacts, photos, emails andconfidential files or information. Data leakage or thefthas already been seen on live devices too.

SECTION FOUR

FUTURE CHALLENGES


22/24

21

Smartphone sales have increased by 75.5% in the lastyear to 37.4 million units, and will grow by a further66% during 2006.

1The growing prevalence of the

multifunctional mobile in todays society and whichwe hold as a natural lifestyle accessory which weeffectively connect with - even more so than acomputer guarantees them a very real target foridentity and data cyber-thieves.

EXPLOITATION OF INTERNET PHONE CALLS

Total VoIP subscribers are projected to grow from 16million in 2005 to over 55 million in 2009 worldwide.

2

The introduction of VoIP on enterprise networks in theabsence of appropriate security measures willintroduce another entry point for attackers to exploit the next generation of phone hacking.

GROWTH OF MULTIMEDIA DEVICES

The integration of technology brings integrated risk.This risk is heightened by the fact that the vastmajority of users fail to understand the fullfunctionality and capabilities of technologies, and do

not appreciate or protect themselves against thesecurity threats.

SUBTLE INFECTION VIA SOCIAL NETWORKINGSUCH AS BLOGGING

Businesses and individuals alike have been creatingand reading blogs increasingly over the last 12 monthsand this too presents associated risks. Millions ofyoung people post online diaries that are often opento anyone that is surfing the web, meaning that

SECTION FOURFUTURE CHALLENGES

personal information is on show and available forthose identity thieves looking to build up theirpseudo-profiles.

Additionally, consumers who use web-based serviceslike loglines or Web browsers such as F irefox to viewnews feeds and blogs are vulnerable to embeddedmalicious code that can install spyware, log keywordsand passwords and scan networks and PCs for

open ports.


23/24

22

US:

FBI CYBER DIVISIONThe FBIs cyber mission is four-fold: first and foremost,to stop those behind the most serious computerintrusions and the spread of malicious code; second, toidentify and thwart online sexual predators who usethe Internet to meet and exploit children and toproduce, share, or possess child pornography; third, tocounteract operations that target US intellectualproperty, endangering national security andcompetitiveness; and fourth, to dismantle national andtransnational organized criminal enterprises engagingin Internet fraud.

UK:

METROPOLITAN POLICE COMPUTER CRIME UNIT

The Computer Crime Unit is a centre of excellence inregard to computer and cyber crime committed underthe Computer Misuse Act 1990, notably hacking,maliciously creating and spreading viruses andcounterfeit software. The unit provides a computerforensic duty officer and offers computer evidenceretrieval advice to officers.

PROFESSOR MARTIN GILL:Director of Perpetuity Research and ConsultancyInternational and a Professor of Criminology atthe University of Leicester

Professor Martin Gill has published over 100 journaland magazine articles and 11 books includingCommercial Robbery, CCTV, and Managing Security. Heis co-editor of the Security Journal and foundingeditor of Risk Management: an International Journal.Martin Gill is a Fellow of The Security Institute, amember of the Risk and Security Management Forum,the Security Guild (and therefore a Freeman of theCity of London), the ASIS International Foundation

Board, an overseas representative on the ASIS

International Academic Programs Committee and theASIS International Security Body of Knowledge TaskForce. With PRCI colleagues he is currently involvedwith a range of projects related to different aspects ofcrime in organisations and private security, thisincludes shop theft, frauds, staff dishonesty, burglaryreduction, robbery, the effectiveness of securitymeasures, money laundering, policing, violence atwork, to name but a few.

GERMANY:PROFESSOR KLAUS BRUNNSTEINProfessor of Information Technology at theUniversity of Hamburg

Professor Brunnstein is President of the council of theNotfall-Rechenzentrums fr Grorechner in Banken,Versicherungen und Industrie in Hamburg, a role hehas held since 1983. His areas of speciality are dataprotection, IT Security and computer viruses.Previously, Professor Brunnstein was a member of thechairmanship of GI (Gesellschaft fr Informatik) from1996 until 2001 and currently still holds the role ofPresident of the International Federation forInformation Processing (IFIP).

CHRISTOPH FISCHER:General Manager of BFK edv-consulting GmbH

Christoph Fischer is the general manager of BFKedv-consulting GmbH. He has more than 20 years ofexperience in the IT Security area, specialising increating and testing security concepts. He is also amember of the following organisations: EICAR, FIRST,Cybercop Forum and EECTF. Christoph Fischer studiedat the University of Karlsruhe (TH).

NETHERLANDS:

GOVCERT.NLGOVCERT.NL is the Computer Emergency ResponseTeam for the Dutch Government. Initiated by theMinistry of the Interior and Kingdom Relations andofficially operational since June 5, 2002, it supportsthe government in preventing and dealing with ICT-related security incidents

GOVCERT.NL works independent of suppliers as agovernment organization, and are part of ICTU, theDutch organization for information andcommunication technology in the public sector.

THE CYBERCRIME EXPERTS AND LAW

ENFORCEMENT AGENCIES:


24/24

23

SECTION ONE

1Source: Robert Schifreen, author of Defeating the Hacker, derived from online research June-September 2006

2In an interview with Tom Zeller Jr. of the New York Times:

http://www.nytimes.com/2006/07/04/us/04identity.html?pagewanted=3&ei=5088&en=18bc230a1ae1ba06&ex=1309665600&adxnnl=0&partner=rssnyt&emc=rss&adxnnlx=1162985316-o1mmMf67Bb0R8vQ8wCG6QQ

3

Source: Robert Schifreen, author of Defeating the Hacker, derived from online research June-September 2006

4

Source: Article on Stasi Recruits by Jamie Dettmer: http://findarticles.com/p/articles/mi_m1571/is_38_15/ai_56904965(Accessed 17 July 2006)

5In an interview with computer scientist Marcus Rogers of John Jay College, New York:

http://www.newscientisttech.com/article.ns?id=dn9619&feedId=online-news_rss20. (Accessed 28 July 2006)

6In an interview with Valerie McNiven, advisor to the US government on cybercrime:

http://www.theregister.co.uk/2005/11/29/cybercrime/(Accessed 4 June 2006)

SECTION TWO

1

Figures taken from the FBI website: http://www.fbi.gov/page2/june06/cimip062806.htm(Accessed 4 July 2006)

2

Figures from Secure Computing Research cited in: http://www.securecomputing.com/index.cfm?skey=1634(Accessed October 2006)

3

Figures taken from an RSA Security report cited in: http://www.rsasecurity.com/press_release.asp?doc_id=6877&id=2682(Accessed June 2006)

4Figures taken from a Harvard University and the University of California study:

http://www.computerworld.com.au/index.php/index.php?id=217996450 (Accessed September 2006)

5An extract of an article entitled Les chiffres de la cybercriminalit en France by Francois Paget, Senior Virus Research Engineer,

McAfee Avert Labs. September 2006.

SECTION FOUR

1

Taken from Gartner statistics reported in the media in October 2006: http://news.com.com/Smart-phone+sales+are+soaring/2100-1041_3-6124049.html

2

In Stat prediction figures: http://www.instat.com/newmk.asp?ID=1566

REFERENCES

Virtual Criminology

Documents

Transcript of Virtual Criminology