/ 22 September 2011

Cybercrime: Is it out of control?

In April this year, I was invited to give a talk on the psychology of hackers to Fidelity National Information Services (FIS) at its annual get-together in Milwaukee. FIS is one of the biggest providers of technology and card services to the banking industry worldwide. Unsurprisingly, cyber security is among its top priorities.

The talk went well and when answering the audience’s questions, I referred to a recent cybercrime case in Calgary, in Alberta, Canada, in which a cyber gang had hacked into the computer system of a company that provides pre-paid debit cards. These are familiar overseas and also offered by some British banks, aimed at young people and those who can’t get credit through the normal channels.

The scam was impressive in its simplicity and effectiveness. The gang bought a number of pre-paid debit cards in different locations and placed $15 on each card. Once they had broken into the computer system of the company that issued them, they found the network area that dealt with the limits placed on each card. They sought out the cards they had purchased and, using the control they had established over the company’s networked system, they electronically raised the spending limit on the cards from $15 to tens of thousands of dollars. Over one weekend, they extracted about $1-million using the affected cards in ATM machines around the world.

My remarks seemed to strike a nerve, although I couldn’t put my finger on why. Three months later, the reason suddenly became clear to me when arguably the finest investigative reporter who researches cybercrime, Brian Krebs, posted a note on his website about a major security breach at a payment technology company: my old friends at FIS.

But not only that — it turned out that FIS was a victim of exactly the same pre-paid credit card scam as the company in Calgary. Except that FIS had lost $13-million and the scammers, according to krebsonsecurity.com, had used just 22 rigged pre-paid credit cards to syphon off this vast amount of money.

Traditional bank robbers must be absolutely gobsmacked when they hear sums like this being hoovered up by cyber criminals week in, week out. Krebs went on to point out that the FBI had made no arrests in the FIS case. Nobody expected anyone to be nabbed anytime soon. So I thought I would make some inquiries in the cyber underworld. One of my contacts was acquainted with the mastermind of the pre-paid scam at FIS. Over a three- year period, my contact told me, his organisation had earned $34-million. Who knows? They might well have been responsible for the Calgary heist.

The Mr Big who orchestrated the whole operation, I was told, kept 70% of those profits for himself — only 30% went to the hackers and the so-called “cash-out” team — that is, the people who have somewhat laboriously to go from ATM to ATM and extract up to $500 each time (before, of course, transferring 70% back to Mr Big).

To my knowledge, the gang has not visited any companies in the UK. But Britain, along with the US, Canada, Western Europe, Australia and New Zealand, is a top target for cyber criminals from across the globe. The British are dangerously vulnerable to cyber attack of all shapes and sizes, according to the latest report on cyber security from the UK thinktank Chatham House. It is high time, the report argues, that Britain got its act together. It is no longer the case that banks are the prime targets; any business, be it manufacturing, military, legal or financial, is now computer-based and therefore vulnerable to attack. A few hours after the publication of the Chatham House document last week, the government unexpectedly announced it would be postponing the presentation of its new cyber security strategy to Parliament. A sign of nerves, perhaps? Certainly, getting this strategy wrong might prove very expensive.

$1-trillion?
But what exactly are we protecting ourselves against? We have heard some dire warnings in recent months about the extent of the threat posed by illegal activity on the internet. In 2009, the White House suggested that cybercrime and industrial espionage inflicted damage of about $1-trillion a year — almost 1.75% of global GDP. Can it be true? The answer is that, whatever anyone may say, nobody has the faintest idea. The $1-trillion could be a wildly exaggerated figure put out there by the cyber security industry in order to generate sales. Or it could be the result of some hyperactive algorithms. Or it could be true. But nobody can assert with any confidence which it is.

The activities of the pre-paid gang, according to my underworld source, were only discovered because they committed an uncharacteristic error allowing FIS’s defences to pick up on the presence of a foreign body in its networked system. If that had not happened, the gang might still be merrily ripping off FIS and everyone else, unbeknown to the rest of the world.

But although there is no precision about figures out there, there is no doubt that threats do exist. And it is high time people started to learn what they are and how to protect themselves against them.

Crime on the web is changing very rapidly. Until quite recently, most of it took place on so-called “carder” sites with names such as CarderPlanet, Shadowcrew and DarkMarket (a “carder” is simply a hacker who deals in credit cards or card details). These were in effect department stores for criminals.

The first and the most celebrated among thieves was CarderPlanet. Members would come to this website, run out of Odessa in Ukraine, to buy and sell stolen credit card details, to purchase viruses, trojans and worms with which they could compromise victims’ computers, to take tutorials in how to deploy the latest cyber weapons, or to hire a botnet — a network comprising thousands of zombie computers – to use in an attack against your enemies.

CarderPlanet’s significance in the history of cybercrime lies in its founders’ introduction of an escrow system. This worked almost like a criminal version of PayPal, using legitimate channels such as Western Union, and enabled them to overcome the central problem facing all cyber criminals — how to trade with somebody on the web when you know that, as a criminal, he or she, like you, is inherently untrustworthy. Escrow, whereby a neutral officer from the website would hold both the credit card details being sold and the money from the purchaser until they were satisfied that both sides were genuine, solved that problem at a stroke. It also led to the industrialisation of crime on the web.

‘Everyone works by himself, for himself’
One of the co-founders of CarderPlanet, the Ukrainian hacker known as Script, described the pioneers of digital thieving as “lone wolves”. In an interview with Hacker, the great chronicler of Russia’s cyber underworld, he explained that: “They don’t huddle together in groups or form their own distinctive networks; everyone works by himself, for himself.” But in the past few years, the lone wolves have begun to form packs, usually under the leadership of charismatic individuals, such as Mr Big from the pre-paid scam. “Carder” sites such as DarkMarket have slipped out of fashion because they were too easily infiltrated by law enforcement agencies such as the FBI and the Serious Organised Crime Agency here in Britain. Instead, the lone wolves have started to form packs with trusted friends and these look more like traditional organised crime groups with a clear hierarchy and division of labour.

One of the most lucrative scams revolves around so-called “scareware”, malicious software that plays on the fear of virus infection, which was perfected by a Ukrainian-based company called Innovative Marketing. IM employed dozens of young people in the Ukrainian capital Kiev, most of whom believed they were involved in a startup company that was selling legitimate security products. Except they weren’t. Computer users who had clicked on a certain link placed by a hacker on a legitimate website had become infected. Hackers, in turn, triggered a pop-up on the browser warning the user that their machine had been compromised by a virus. The only way, the advert explained, they could rid their computers of the electronic critters now crawling all over their hard disk and memory was to click on a link and purchase Malware Destroyer 2009, to name but one of their countless products. Once you had downloaded Malware Destroyer (for €40), IM would instruct you to remove your existing anti-virus system and install its product. Once installed, however, it did precisely nothing — it was an empty piece of software, although now, of course, you were open to infection by any passing virus and you had paid for that dubious privilege.

A researcher for the software company McAfee in Hamburg, Dirk Kolberg, began to monitor this operation. He followed the scareware back to its source in East Asia and found that the administrator of IM’s servers had left some ports wide open, so Kolberg was at liberty to wander into it and peruse at will. What he uncovered was quite breathtaking.

Innovative Marketing was making so much money that it had established three call centres, one in English, one in German and one in French, to assist baffled customers who were trying to install their non-functioning products. This was one of the most theatrical examples of internet crime yet discovered. Kolberg worked out from trawling through the receipts he also found on the server that the scareware scam had generated tens of millions of dollars in revenues for the management. The FBI busted the US end of that operation but its two alleged masterminds, a Swede and an Indian, who are on the agency’s most-wanted list, remain on the run.

Innovative Marketing Kiev was probably the most lucrative operation to date, but by no means the only one. Yet although lucrative, it was, for the perpetrators, labour intensive. Streamlining in cybercrime, though, has led to outsourcing. Sophisticated hackers and criminals are now able to control vast armies of zombie computers — ordinary PCs that you or I might be using this minute but whose computing power can be redirected to commit criminal acts on the internet. The only clue that this could be happening in the background would be the computer running more slowly. This army is then rented out for a significant fee to opportunistic criminals who do not want or do not have the ability to amass such a formidable computing weapon.

Cogs in a a ruthless machine
This network can breach its targets and intended victims (usually banks, financial institutions or, of course, ordinary account holders) by sending email after email to overload the system, creating a diversion that allows hackers to gain access. It can also seek out serial numbers, login IDs and financial information such as credit card numbers. Eventually money is transferred to so-called money mules. These are (largely) unwitting characters, usually Americans or western Europeans, who respond to advertisements offering good returns for work carried out from your home computer. Successful candidates are then required to use their personal bank accounts on behalf of their new employer. The mules would receive, say, $200 and then forward $180 to Mr Big, holding back $20 as their commission. In a recent major FBI case, codenamed Operation Trident Tribunal, the mules had been instructed to send the money to a bank in Latvia, one of the three Baltic republics, along with Lithuania and Estonia, whose role in cybercrime is out of all proportion to their combined population of seven million.

The emergence of such outsourcing accentuates one of the greatest problems that police face in dealing with organised crime. The structure acts as a mask that obscures the real money-makers: the people who assemble the zombie networks and the Mr Bigs who use their services. The mules are easy to catch but they are very small cogs in a more ruthless machine. The next challenge for law enforcement is not unlike that facing the Untouchables in Al Capone’s Chicago. Capone, of course, was eventually busted for tax evasion. But how can you track down a digital Al Capone when you don’t know who he is or where he is? – guardian.co.uk