Cyber crime is a lucrative trade and it's growing
Estimates of the cost of cyber crime go up to $1trn. Whatever the truth, the internet is quite murky - and getting worse, says Dave Waller.
It is now six years since the US Secret Service launched Operation Firewall, the sensational raid that shone a spotlight on the ShadowCrew online crime forum. It was the largest ever law enforcement operation against the digital underground. This was the quintessential cyber crime story: a hotbed of counterfeit credit card scams, a network of 4,000 criminal members spread around the world – and a suitably gung-ho outcome, where the Secret Service swooped in with semi-automatic weapons and grabbed the stunned ‘crew' in night raids as they sat at their desks. US attorney general John Ashcroft declared the 2004 sting the first major victory in the war against carders.
The years have rolled on, but the internet remains a shady place, ripe for ShadowCrew's successors. Just ask Innovative Marketing. The Ukrainian online security company is estimated to have earned $180m through sales of its anti-virus software in 2008 alone. Not a bad haul – especially as it was a scareware scam and the viruses it was ‘detecting' didn't even exist.
The three bosses at Innovative Marketing – from the US, Sweden and India – are now engaged in their own dalliance with US law. As such they are among that rare breed of cyber criminal – the ones who actually get caught.
The virtual criminal community is highly organised, with millions of dollars being generated by tightly coordinated groups of specialists, all syphoned by naive money mules into bank accounts around the world. And most of them are getting away with it.
Exactly how much, no one really knows. There are claims cyber crime is worth $1trn, or that it is bigger than the drugs trade, but these are all too easily dismissed. Yet one conclusion remains hard to avoid: the cyber crime phenomenon will continue to grow, with virtually no barrier to entry, potentially limitless spoils, and a slim risk of getting caught.
Of course, not everyone gets away with it. Max Ray Butler aka ‘Max Vision' aka ‘Iceman', a prolific malicious hacker, was jailed this February for 13 years, after rinsing US banks of around $86m, in a series of audacious credit card scams. Butler also hacked into other illegal forums, wiped out their databases and absorbed their content and membership into his own site, a ShadowCrew-like hangout for carders and scammers, called CardersMarket.
Jail also beckoned for UK-based Sri Lankan Renukanth Subramaniam, 33, founder of DarkMarket, a site described by his prosecutor as “Facebook for fraudsters”. DarkMarket, ultimately infiltrated by the FBI, even operated a secure payment system, allowing users to ‘review' the criminal services on offer. How's that for sophistication?
There are hundreds of such communities online, based solely on criminal trade, established to sell anything from off-the-shelf botnets to credit card data and people's banking logins, powered by databases containing hundreds of millions of pieces of information. “I've been in one criminal forum with 37,000 members,” says Rodney Joffe, senior vice president and senior technologist at Neustar. “Each of these could easily steal $500 a day, just by compromising two credit card accounts.”
Sounds like a lucrative business. And business is exactly what it is. According to the 2009 Verizon Business Data Breach Investigations Report, 91 per cent of all records of attacks were linked to organised criminal groups. “The criminals are operating like an SME,” says Matthijs van der Wel, manager of the EMEA forensics practice for Verizon Business. That's no exaggeration: Ukrainian Roman Vega, founder of the infamous Boa Factory forum, was even said to keep lawyers, botnet owners, hackers and traffickers all on his payroll.
So how big is the global cyber crime scene? It's hard to say. As befits its shadowy nature, it is not easy pinpointing reliable figures. “I've been at conferences where you get different reports – like the one saying cyber crime is worth trillions of dollars,” says David Emm, senior regional researcher UK at Kaspersky Lab, “but I'm sceptical: unless we get reports of all the attacks going on, we can't know exactly the turnover of these activities.”
Richard Stiennon, chief research analyst at research firm IT-Harvest, has done the donkey work to dig out the origins of the more spurious claims. According to Stiennon, the “bigger than the drugs trade” idea first emerged in 2005 with Valerie McNiven, a consultant to the US Treasury, who proposed the figure of $105bn, qualifying it with the phrase “I believe”. Hmm. That number duly did the rounds, appearing again in a September 2007 speech by McAfee chief executive David DeWalt. By March 2008, it had taken on a life of its own, with Ed Amoroso, chief security officer at AT&T, telling a Congressional Committee it should beware a cyber crime phenomenon worth $1trn a year. The Congress may also wish to be careful of Chinese whispers.
The FBI's Internet Crime Complaint Center remains the most reliable source: losses from incidents reported to its website in 2009 totalled a far more conservative $559.7m. That's a striking leap from $264.6m the previous year and still quite a total, especially when you take into account the vast volume of losses that go unreported, by companies under no obligation to advertise how vulnerable they are.
The FBI hasn't put a figure on the scale of the drugs trade. Nor does it publish a statistic comparing spoils from the two types of crime. Stiennon has said cyber crime profits may be worth closer to $1bn a year, but it could be more than that, given the FBI's figure for the number of reported cases.
“This is just the tip of the iceberg,” says Emm. “It's just the stuff that we know about. Eight or nine years ago, business was only using the net for communications, not this huge scale of financial transactions and two-way social networking. Like pickpockets, cyber criminals are simply going where the crowds are.”
The most striking development in cyber crime is that crime ‘sub-communities' are emerging, comprising specialists for each part of the process. In other words, the criminals have built a supply chain: the code specialist will sell their work to someone skilled in distribution, who will then obtain details and sell them on to someone skilled at extracting money. Each sticks to their role. The only truly dangerous part is at the end, when it comes to shifting the cash.
“I was once in a forum speaking to someone selling stolen online accounts, and one had a balance of $180k,” says Guillaume Lovet, senior manager of Fortinet's EMEA threat response centre and author of Dirty Money on the Wires: The business models of cyber criminals. “How much were they selling it for? $300. That shows how much risk there is when you get to handling actual money. It's a job for real laundering syndicates.” For 90 per cent of the chain, it's a job that's almost entirely untraceable. The beauty of the system is that each cog can do their bit, without the moral tug of seeing the victim of the crime, and with no risk of getting caught.
Unless, that is, you're the one at the end of the chain. This is where the wire mule comes in. As they're the only one to actually handle money, it's a role that has become the hardest to recruit for, despite requiring no specialist skills.
“There's no question that the only limit to this illicit activity is the number of mules,” says Joffe. “There are hundreds of millions of accounts to pilfer. It's simply how to find enough suckers to move the money around.”
Recruiting mules is a tricky job that, again, has bred specialists. And they are being rewarded for their skill. “The one setting up the theft will get 30 per cent of the income,” says Joffe. “The mule provider gets 70 per cent.”
So how does someone become a mule? Scouring online job ads, they will stumble upon an ad for a role as, say, financial transaction manager for a company that is seeking a presence in that country. They're offered the chance to work from home, and the job is moving £10k into a certain bank account – for a ten per cent commission. Each mule will be used only a couple of times and when they are caught most claim they don't know it's illegal. If they are, they are unable to lead the police any further up the chain. It's once again thanks to the ingenuity of the scammers that so many potential mules are proving to be ‘suckers'.
“The site looks genuine,” says Joffe. “All the paperwork is there and the phones get answered when you call them. And they're not even promising outlandish money – it's $3k a month, not $10k. Many companies employ people to work from home these days. It doesn't look odd. It's just brilliantly simple marketing by the criminals. They are becoming very good at what they do.”
While it is easy to imagine there would be coercion in the process, mules are usually recruited without it. Most mules are unaware they're involved in something illegal, and are simply driven by the lure of easy money. You don't need to resort to coercion when there's the chance to make a quick buck – especially in the current climate.
Successful groups are following the model used by organised crime: generals, lieutenants and a network of affiliates. And while it would be misleading to imply it's the work of traditional organised crime gangs, they are however now getting involved – drawn, as always, by the chance to make the most money at the lowest risk. “Classic organised crime gangs, like the Russians or the Thai gangs, whose other business is in human trafficking or drugs, are increasingly looking into banking fraud,” says Paul Henninger, head of product management at financial crime prevention and compliance provider Actimize, a NICE company. “It's lucrative, low-cost and risk-free. With drugs you have to deal with potentially dangerous criminals, face-to-face. In financial fraud, no one has to physically interact with another criminal.” Indeed, with Trojans stealing the money, why would you risk robbing a real bank?
“We're dealing with a complicated criminal element with an excellent infrastructure to support any illicit trade,” says cyber crime expert John Walker. “If the traditional organised criminals haven't spotted the benefit of embracing this technology yet, I'd be extremely surprised. In my investigations, I've never got beyond the second layer of people to see who's pulling the strings, and those at the top are sitting very far back.”
The big cheeses at Innovative Marketing clearly didn't sit far back enough. For one thing, they left their servers with no password protection, which made it easy for investigators to find out what was going on.
What they found was a company, advertising in the Economist magazine, flogging hundreds of fake anti-virus products on an unprecedented scale. It even had its own customer helplines. Now it has been charged with computer fraud and wire fraud, after previously being ordered to pay $163m following a civil suit brought by the Federal Trade Commission.
Innovative Marketing's initial success is indicative of a couple of things: first, the growing trend towards scareware. McAfee says it saw a 400 per cent increase in such incidents reported last year and predicts it will be the most costly online scam in 2010, infecting around one million computers per day and delivering profits of over $300m.
It also provides the perfect example of an illicit firm basing itself in a less stringent jurisdiction in a bid to evade the law. Many fraudulent enterprises are run from countries with weak legislation, ineffective law enforcement and corrupt officials, such as the Ukraine or Vietnam. “These companies are registered in Belize or Panama, but have offices in the Ukraine or Russia,” says Sebastian Zabala, security expert at Panda Security. “You do see traces of these companies, but the people behind them are developing the technology and creating the software all around the world.”
Brazil has a huge malware problem and has become a centre for botnet creation, but as well as the corporate attacks, its criminals also target wealthy individuals and spear phish them with elaborate con tricks. Meanwhile Russia and the former Soviet states remain centres for botnets and online banking fraud: salaries are low, yet levels of technical education high, so it's easy to tempt people to participate in crime: when you are on $300 a month, it is hard to say no. And there are no physical barriers to what you can achieve: a kid in Belarus can cream off a wealthy British banker, no problem.
Indeed, to paint a picture of cyber crime as entirely organised would be misleading. The trend may have shifted from youthful mischief to genuine money-making, but the flood of technology means it has never been easier for individuals to get involved too. You can buy an off-the-shelf botnet easily – or make one yourself. Where it used to be only technically adept script kiddies attacking company websites, now anyone can do it – just buy the kit. If you want to steal passwords, visit YouTube for a tutorial in building keyloggers. Or go to specific sites offering ‘Cyber crime as a Service' (CaaS), saying you want to hack into this company or that Facebook account. It will cost you around $90.
The daily news reveals countless incidents of individuals caught up in cyber crime. There's the recent case of the German man accused of using malware to control webcams and spy on 150 teenage girls. Or that of Minnesotan Barry Ardolf, who stands accused of hacking into his neighbour's computer to threaten US vice president Joe Biden.
The statistics remain so elusive. When the crime scene involves everyone from criminal gangs to lone meddlers, and victims aren't in a hurry to publicise their own problems, it's going to be difficult for firm figures on cyber crime to come to light. “This scene involves so many different actors with so many different roles, ages and backgrounds,” says Lovet, “from your 13-year-old in the Ukraine to international crime syndicates.”
Cyber crime is underground and it is making money off us. We may not know how much, but it's growing. And in time, as more cases emerge from the shadows, who knows? Perhaps that drug trade comparison won't seem so unlikely.
I have been tracking cyber crime since 2003 (says Dave Jevans, left). Looking at the arrests, it is evident that most perpetrators are involved in other forms of money laundering too, such as the drug trade. And the hosts of crime forums will also host child porn and other illegal content. Everything is linked.
But it's hardly people moving from drugs into writing their own malicious code. They will simply suddenly see kids in their area driving around in Bentleys, figure they are on to cyber crime and threaten to break legs if they don't get a cut.
I have seen huge demand for the latest malware products in Russian crime forums. There are forums just in Spanish, for Spanish users. I haven't seen Chinese or Korean forums, but I'm sure they are there. It's spreading. The best criminal products are becoming sophisticated – they've even added source code licensing, so you can only run it from the computer where it's registered. It's like a proper software business.
In the past 18 months, I've noticed that the bad guys in the US, Latin America and Europe have realised it is a lot easier to steal £500k from a corporate account in one go than it is to take £1k from 500 consumers. Word gets around, and other crime groups crop up to get involved. There are now four or five gangs using Zeus to target US banking customers. Millions of PCs are infected. There are hundreds of groups running botnets we know about. And there are the hardcore ones we don't.
The bad guys are both technical and social engineers: it's not just about making sophisticated code, it's about people. They will find their way into your account. They may distribute malware by social networking – posting links to a ‘cool video' and infecting friends' computers that way.
They are also going after small companies and the smaller state governments, or the accounts of employees at credit report agencies. They phish to get onto their databases, then they can seize people's date of birth, their mother's maiden name – all the stuff you need to verify your identification at the bank. Then they are in.
No one has a consistent view of what's going on. All of these different groups are committing different crimes in different places. I see more and more illegal payment networks springing up in Eastern Europe, allowing people to make anonymous transfers – from the UK to the Ukraine and then across Eastern Europe – without being tracked. That is exploding: there are so many more than three years ago, up from three or four to around 40.
It is becoming increasingly sophisticated. I have personally encountered call centres, where multiple people are on phones making calls pretending to be customers. You know it's fake, as it's a call coming from Florida, but the customer is in Utah. And you can hear people in the background doing the same thing, pretending to be someone else.
It doesn't cost a lot to get involved in cyber crime and the chances of getting caught are remote. The incentive is obvious – you can make $10m tax-free in six months. The FBI reported the loss of hundreds of millions of dollars last year, just from small business. And I believe it will be a billion-dollar problem this year.
Dave Jevans is CEO of secure flash drive maker IronKey and founder/chair of the US-based industry forum, the Anti-Phishing Working Group (APWG).