Cyber Crime

Richard Morris investigates the increasingly sophisticated tactics of an industry that survives and thrives by feeding off the wealth of others.

For professional cyber criminals there is no greater financial incentive than a great web crime. That intoxicating blend of decrypting passwords, identity theft and the lure of large amounts of money has weakened the knees of many an aspiring hacker.

This I learn from Dan Harris (not his real name), a 35 year-old former car dealer, who is sipping lukewarm tea. He casts a suspicious glance around all corners of the visitors’ hall in Her Majesty’s Prison, Bedford, where the air is heady with stale urine, floor polish and yesterday’s spaghetti bolognese.

Harris was convicted last month of theft. He built a website and filled it with the promise of rich rewards for a small fee. The website was bogus as were his credentials as a financial adviser. He was arrested after a police detective, posing undercover as a willing punter, befriended him. When his case came to court, it was found Harris had netted over £5,000 from unsuspecting share-tippers in just six weeks.

‘It’s very easy to fool people on the web because so many believe its safe, but it’s only as safe as people make it,’ he told me. ‘Even now the police are generally stumped if someone phones to say they’ve found someone has tried to hack into their network or computer. There is a great technical black hole, if not complete stupidity in the police, at dealing with this sort of crime.’

‘In any case,’ Harris continues, ‘most computer crime goes unreported. Banks often turn a blind eye to small incidents of theft to bank accounts, simply because they do not have the time or staff to spare for investigating less serious crimes. I did not expect to get caught so quickly.’

It is easy to see why Harris was so confident. Cyber crime is becoming so endemic that security agencies worldwide now regard it as the third most important area of criminal activity after terrorism and foreign intelligence operations.

It is a huge industry. Fake passports, for instance, can change hands on the web for as much as £5000, and bogus credit cards between £3.50 and £150, depending on the card type, how good the copy is and the criminal involved. But the bigger money is to be made by tapping into operating systems.

Cyber crime is now largely based in eastern European countries such as Bulgaria, Hungary and Rumania, whose criminal underworlds are notoriously difficult to enter. In these countries, terrorists frequently use hackers to make money for their organisations. This has led two of the world’s best resourced intelligence agencies, the FBI and Britain’s homeland security service MI5, to better coordinate their attack on internet crime.

Both organisations know very well that hackers can easily take over computers in any part of the world to send spam messages with covert codes to record key strokes, which, in turn, can rob users of confidential details. The enormity of the task to hunt down the hackers cannot be underestimated. This has led to the FBI to try to recruit computer hackers for their expertise, in an effort to develop strategies to defeat cyber criminals.

According to David Thomas, Chief of the FBI’s Cyber Division’s Criminal Computer Intrusion Unit (CCIU), there is only one certainty in today’s increasingly fitful world: your security will be breached. It is just a matter of when.

‘As cyber crime becomes more sophisticated and organised, we are asking for the help and partnerships of private sector companies and individuals. It is possible that critical information on terrorism and cyber crimes could be at these people’s fingertips and in their hands before they reach ours,’ said Thomas.

The FBI specifies three key types of threat. First, there are the unstructured attacks, carried out in the main by insiders or hobbyists. Second, there are structured threats, organised by crime syndicates. This includes attempts at industrial espionage, as well as raids carried out by terrorists, particularly on financial targets.

The third threat, rather oddly, involves rival intelligence agencies squabbling over secret information and refusing to hand it over for fear it might upset another’s detailed plans.

This apart, the FBI is helping to develop new techniques to take on the latest generation of sophisticated and better-organised cyber criminals. Four years ago, it created its own Cyber Division and has established specially trained cyber squads in each of its 56 field offices across the US; these efforts have resulted in 60 prosecutions.

Similarly, MI5 has spent vast sums of money recruiting specialised IT staff and buying supercomputers. The U.K.’s National High-Tech Crime Unit (NHTCU), now part of the Serious Organised Crime Agency (SOCA) has also updated staff training and hacker detecting techniques.

Stressing how successful the alliance against e-crime is becoming, the UK Government cites a recent case involving the prosecution of 3 Russians who attempted to extort money from UK web-based betting sites using botnet-derived DDOS (Distributed Denial of Service) attacks.

The Russian gang followed this up with blackmail threats. An attempt to persuade the businesses to hand over up to $4 million in ransom demands failed, and each of the hackers were jailed for 8 years after UK and US agencies enlisted the help of Interpol and Russian police.

The Home Office is so concerned about the threats internet criminals can deliver, that it has proposed changes to the 16-year-old existing law, which, it argues, will help to prosecute hackers and put them behind bars for longer.

It specifically intends to target denial-of-service (DoS) attacks, which are often used, like the remote attack from Russia, to steal money from online gambling sites.

Tom Harris, Labour MP for Glasgow South, and a member of the All Party Parliamentary Internet Group (APIG) told Simple-Talk that he believes there is an inconsistency between the severe financial consequences of hackers’ attacks that have the potential to cause losses of millions of pounds, and the relatively soft sentences currently at the disposal of the courts.

‘It is an issue that up until now hasn’t been taken that seriously. Much of the UK economy relies on the internet, so many services are vulnerable if we allow these attackers to go unpunished. It’s time we faced up to this new threat by increasing penalties and sentences.’

‘The damage that hackers or anyone illegally accessing someone else’s PC can do, extends way beyond computers. It can have a serious impact on that firm’s survival, its reputation and the ability of that company to do business,’ adds Harris.

APIG is hoping that sentences for DoS attacks will be increased from six months to two years. This will be seen as a positive move by most in the IT industry.

Phillip Drew, editor of Security Online, and himself a victim of a DoS attack, says that by making the punishment two years, the crime becomes an extraditable offence; an important milestone when dealing with the global threat of cyber crime.

Of course, a specific section against DoS attacks will not stop them happening. This sort of crime is generally well planned and executed. Infected machines operate in a coordinated fashion under the direction of an attacker, who often takes control of hundreds or thousands of computers to launch attacks.

But this has not stopped APIG claiming that ‘publicity about the new offence will reach DoS attackers and some will be deterred by knowing that their actions are clearly criminal.’

The proposed revisions would also make it illegal to create or supply a tool to someone who intends to use it for unauthorized computer access or modification.

This move is particularly worrying to security professionals, who often use the same tools as hackers, but for legitimate reasons, such as for testing the capability of their own systems. Yet the UK and other European countries, such as Germany, maintain that what they are doing is to the benefit of everyone and links in with Article 6 of the European 2001 Convention on Cyber Crime, an article which bans the creation of computer programs for the purpose of committing cyber crime.

So far, 43 countries have signed up to the treaty. China is one notable absentee. A country that is experiencing one of the fastest economic booms on the planet, it has a web-savvy population of approximately 1.5 billion. It is hardly surprising that China is predicted to be home to the next source of cyber criminals.

This belief is also supported by China’s ranking as the second most popular country for sites hosting ‘crimeware’, software tools built with the sole purpose of committing online scams and stealing information from consumers and businesses.

So what can businesses and individuals do to protect themselves? According to David Thomas each firm should:

· Have a computing policy

· Have a working risk assessment programme

· Provide intelligence training programmes to increase awareness

· Ensure that systems undergo regular vulnerability and penetration testing

· Have active content filtering

· Make sure that there is a workable incident response plan

· Conduct forensic analysis on a regular basis

‘As ever, it costs money, millions, to defeat crime and we are all paying the cost. Cyber crime is now viewed with increasing worry by all security agencies. Not just because of the remote way in which it hits its target, but also because of the huge amount of damage it can do. As ever the public is the most vital tool we have helping us fight crime,’ Thomas added.

As internet crime continues to expand every day, one key message advises the IT industry above all to be on its guard. Reporting suspicions means there is a greater chance of tackling cyber crimes as they begin to grow. This could save significant sums of money, both for governments and for all the IT professionals, whose work is legitimate and genuine.