MCAFEE VIRTUAL CRIMINOLOGY REPORT

ORGANISED CRIME AND THE INTERNET
December 2006

© McAfee 2006

CONTENTS INTRODUCTION SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

SECTION THREE
THE INSIDERS: THE NEW THREAT TO CORPORATES

SECTION FOUR
FUTURE CHALLENGES

REFERENCES

01

INTRODUCTION
GREG DAY, MCAFEE SECURITY ANALYST
“It’s been dubbed Web 2.0 or the internet’s second wave. Millions of people are now harnessing the internet to network with each other socially, create and share content and buy products and services in even greater amounts. So too is organised crime. Organised crime is seizing the potential of the digital space we live our lives through today for financial gain.The increasing take-up of broadband and new technologies such as voice over internet (VoIP) services present new opportunities for hi-tech criminals. Cybercriminals are not standing still either. They are developing faster, stealthier and more resilient methods such as ransomware to target new and unsuspecting victims such as home PC users and small businesses. The security industry has also not stood still. Today, global viruses like Mydoom and Sober are no longer effective means of causing mass infection. So cybercriminals are using more subtle and sophisticated methods that are harder to detect. As such, proactive protection is becoming imperative – it is the only way to offer users absolute confidence. As the largest dedicated security company in the world, McAfee is at the forefront of enabling consumers and businesses to better understand the risks they face online - showing them the best ways they can take a proactive approach to securing the things that matter most to them, including their identity and personal belongings such as digitally archived photos and music. McAfee has worked with leading hi-tech enforcement experts and agencies across Europe and the US over the past five months to reveal its second study into organised crime and the Internet. The study underlines how vigilant we should all be as new technologies propel our usage of the Internet but also provides new opportunities for hi-tech criminals.”

In 2005, the McAfee Virtual Criminology Report revealed how European cybercrime had expanded from geeks in their bedrooms to organised cybercrime gangs. The McAfee report, the first to examine organised crime and the Internet, highlighted how old-style crime gangs were going hi-tech and replacing baseball bats with botnets to carry out systematic and professional cyber crimes. A year on and cybercrime represents the fastestgrowing category of crime globally. Cybercrime is no longer in its infancy, it is now big business. Organised crime is capitalising on every opportunity to exploit new technology to perform classic crimes such as fraud and extortion to make money illegally. And they are targeting businesses and individuals alike. Organised crime gangs may have less of the expertise and access needed to commit cybercrime but they have the financial clout to buy the right resources and operate at a highly professional level.

FROM BEDROOM LONERS TO COMMUNAL CAFES
The report examines how cyber criminals are moving away from bedrooms and into public places such as Internet cafes and Wi-Fi enabled coffee shops. Experts across the globe recognise the growth of cybercrime. Dave Thomas, Section Chief, FBI Cyber Division, says “If you have people reading in the media that other people are making a lot of money from cybercrime – and if they have criminal intent – then they are definitely going to also take that path.” The threat of cybercrime to businesses and individuals continues to increase at a staggering rate. In July 2006, McAfee researchers reported that over 200,000 online threats had been detected. It took 18 years to reach the first 100,000 (2004) and only 22 months to double that figure. McAfee’s researchers expect it to double yet again in a similar timeframe. Organised crime has realised the potential of making money through the Internet as we move forward into our cyberworlds. Commissioned by McAfee and with contributions from Robert Schifreen, expert author of the best-selling book Defeating the Hacker, law enforcement agencies and cybercrime experts across the globe, the second McAfee Virtual Criminology Report shows how hi-tech crime is developing and looks into the future threat this activity poses to home computers as well as to government infrastructure and corporate organisations.

NEW GENERATION GROOMED FOR CYBERCRIME
The new research reveals how organised crime is grooming a new generation of high-flying cybercriminals using tactics which echo those employed by the KGB to recruit operatives at the height of the cold war.

TEENS AS YOUNG AS 14 ATTRACTED BY CULT OF CYBERCRIME
The study also reveals how internet-savvy teens as young as 14 are being attracted into cybercrime by the celebrity status of hi-tech criminals and the promise of making money without the risks associated with traditional crime.

02

SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS
Governments, companies and enforcement agencies have intensified their efforts to bring hackers and other malware authors to justice over the last year. The publicity surrounding high profile court cases and cybercrime activity has thrust cybercrime into the media spotlight and heightened public awareness. At the same, time it’s never been easier to commit crime online. Opportunity is everywhere and as a result the threat of cybercrime is now omnipresent. Old-style criminals are driven largely by a desire to cause harm or make money. Rarely will a criminal rob a bank, mug a stranger or kidnap a person to make a point or to see how easy it is to do. Conversely, the Internet has prompted all manner of rogue behaviour – some out of intellectual interest and curiosity but most because the opportunity and financial incentive is there.

“The number one motivator is opportunity. Whatever the underlying motivation, be it financial or otherwise, if they have the opportunity they can commit the crime. Take away the opportunity and the motivation becomes less important. People don’t spend enough time exploring why potential criminals have the opportunity to commit crimes in the first place.”
Professor Martin Gill - Director of Perpetuity Research and Consultancy International and a Professor of Criminology at the University of Leicester

03

SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS

CASE STUDY: THE CULT-LIKE STATUS OF CYBERCRIMINALS – GARY MCKINNON
Gary McKinnon was indicted by a US court in November 2002, accused of hacking into over 90 US Military computer systems from the UK. Gary faces up to 70 years in jail but has a huge online following of people trying to get him out of jail and/or protesting his extradition to the US for trial and punishment. Many people believe he should be tried in England and serve his time in the UK. http://freegary.org.uk/ Gary claims his inspiration to become a hacker came from watching the movie WarGames when he was 17 years old. He thought, “Can you really do it? Can you really gain unauthorised access to incredibly interesting places? Surely it can’t be that easy.” And so he gave it a try.

CULT-LIKE STATUS OF CYBERCRIME

“If you have people reading in the media that other people are making a lot of money from cybercrime – and if they have criminal intent – then they are definitely going to also take that path.” Dave Thomas, Section Chief, FBI Cyber Division As a result, cybercrime has established a cult following, with online offenders rising almost to celebrity status within hacking communities. Virus writers, hackers and other malware authors have well-publicised conferences and seminars where they showcase their methods to highlight potential security issues. But as well as revealing potential security issues, they also expose vulnerabilities and the opportunity for criminals and black hat activities.

SPOTLIGHTING CYBERCRIME
• Defcon, the annual hacker gathering in Las Vegas: Attendees were encouraged to hack their entrance badges • The Blackhat Security Conference: Microsoft encouraged hackers to take their best shot at its new operating system, Windows Vista • Hack in the Box – labelled as ‘the most intimate of the hacker conferences’

04

SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS
CASE STUDY: FROM INQUISITIVE TO INCRIMINATING
By the age of 20, Shiva Brent Sharma had amassed in excess of $150,000 of cash and merchandise reaping through computer crime. When he was arrested for the third time for identity theft, he claimed he could earn around $20,000 in a day and a half. An addiction to the challenge and to the reward, he fears that when he finishes serving his two to four year prison term, he’ll relapse and start tapping into online wallets again. From a middle-class family background and the youngest of three children, Sharma was always battling for access to the Internet. His criminal activities started when he began regularly visiting sites where users from all over the world met to swap tips about identity theft and to buy and sell personal information. The tricks and techniques he learned there enabled him to undertake his variety of scams. He began with phishing, then dealt in bootleg software before ultimately moving on to buying stolen credit card accounts online, changing the information and sending the money to himself. Sharma never could provide a clear reason for his crimes. At times he claimed it was simply a game to pass the time, whilst at others he implied it was a more focused attack against the banking industry. “Well, you know – I mean there’s no justification behind it at all. You know it was wrong and I did it 2 – it was wrong.”

FROM INQUISITIVE TO INCRIMINATING: HOW YOUNG TEENAGERS FALL INTO CYBERCRIME
Many young people are first enticed into cybercriminality by intrigue, by the challenge and by the promise of getting something for nothing. Some are aware of their illegal actions from the start; others edge slowly toward the murky underworld from seemingly innocent beginnings.

For many, the thrill of the challenge and the community is too tempting a scenario to resist. Just as a drug addict enjoys their first high and increasingly looks for the next fix, so too does the lure of the next cyber-scam prove addictive – and all too easy if you know where to go for advice. That addiction grows as the stakes become higher and organised criminals pay youngsters to execute their extortion scams. As a result, cybercrime amongst teenagersis rising.

“Young hackers and script kiddies get involved on the small scale and it steamrolls from there. They start with very simple tasks but move quickly to accessing credit cards and other money-making schemes. The FBI focuses a lot on attacks and criminal networks coming out of Eastern Europe. Many of these cybercriminals see the Internet as a job opportunity. With low employment, they can use their technical skills to feed their family. Cybercrime becomes an occupation.”
Dave Thomas, Section Chief, FBI Cyber Division

“Once an amateur hacker becomes more proficient at compromising systems, it is easy to realise that they can make money doing so (for example: renting out bots or leasing out slots to send spam). At the same time, criminals pro-actively recruit people for their technical jobs. Those people may not know what they are really getting involved in.”
Erik de Jong, Project Manager, Govcert.NL

Newsgroups, forums and Internet cafes are full of people looking for information and passwords. Initially, their aim is fairly harmless and many do not have aspirations of being a serious cybercriminal - they are only password-hunting because they wish to hack into a computer program to see if they can, to see how it works or access a game which is protected. However, other hackers and malware authors freely exchange tips in online forums and feed beginners the knowledge to hook them in. The typical hacker is 1 between 14-19 years old.

05

SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS

WWW.HOWTOHACK.COM

impressionable young teenagers, and those people intent on making money, to find the tools to get started in cybercrime. The tools necessary for spamming and phishing are easily accessed and publicly available on the Internet. Companies sell lists of email addresses at $39.95 per 3 million for multiple use. Compare this with the going rate of 20p per name for conventional mailing lists from reputable firms for just one-time mailings and it is easy to see the opportunity for criminals. Once they have the addresses all they have to do is send the ‘loaded’ email and engineer the welcome message that will get consumers to open it.

“The availability of tools online has assisted the growth of cybercrime. The complexity of tools has also increased. For example: creating one’s own bot and setting up a botnet is now relatively easy. You don’t need specialist knowledge, but can simply download the available tools or even source code. In general, you see that tools that were once only available to a privileged group of “specialists” become available to the general public over time.”
Erik de Jong, Project Manager, GOVCERT.NL

It’s never been easier to commit cybercrime. There’s more opportunities and more information on how to get started with just the click of a mouse. Within seconds of searching online, anyone of any age can access numerous sites and information on hacking and other cyber scams. While the vast majority of content online has fostered a sprit of enterprise and sharing of information and knowledge for good, it has made it easy for

“Hacking tools have been available on-line for some years now. Criminals often will adopt and put them to illicit use. Despite this, we continue to arrest and prosecute those who seek to engage in computer crime.”
Robert Burls MSc, Detective Constable, Metropolitan Police Computer Crime Unit

06

SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS

HOW ORGANISED CRIME IS GROOMING THE NEXT GENERATION OF CYBERCRIMINALS
“Cybercriminals need not only IT specialists – they need people that can launder money, people that can specialise in ID theft, someone to steal the credit numbers, then hand it off to someone who makes fake cards. This is certainly not traditional organised crime where the criminals meet in smoky back rooms. Many of these cybercriminals have never even met face-to-face, but have met online. People are openly recruited on bulletin boards and in online forums where the veil of anonymity makes them fearless to post information.”
Dave Thomas, Section Chief, FBI Cyber Division

In the words of former KGB Maj. Gen. Oleg Kalugin: “If you can find a young person, perhaps a student, before his opinions have fully matured, then make him truly believe in your cause, he will serve you for 4 many years.” In some cases, organised crime gangs are going even further to sponsor eager would-be hackers and malware authors to attend information technology university courses to further their expertise. Criminals are also earmarking university students from other disciplines and supporting them financially through their studies with a view to them gaining employment with, and inside access to, target organisations and businesses.

CASE STUDY: POTENTIAL TARGETS OF CYBERGANGS
In June 2006, researchers surveyed 77 computer science students at Purdue University, USA, using an anonymous, web-based questionnaire. Students were asked whether they had indulged in one of several “deviant” computer acts, some of which could be classified as illegal. These activities were guessing or using another person’s password, reading or changing someone else’s files, writing or using a computer virus, obtaining credit card numbers and using a device to obtain free phone calls. The number of IT students who admitted to such behaviour was high. Of 77 students, 68 admitted to engaging in an activity that could be classified as 5 deviant.

Although organised criminals may have less of the expertise and access needed to commit cybercrimes, they have the funds to buy the necessary people to do it for them. In an echo of the KGB tactics employed during the cold war to recruit operatives, organised crime gangs are increasingly using similar tactics to identify and entice bright young net-savvy undergraduates. Organised crime gangs are starting to actively recruit skilled young people into cybercrime. They are adopting KGB-style tactics to recruit high flying IT students and graduates and targeting computer society members, students of specialist computer skills schools and graduates of IT technology courses. At the height of the cold war, potential KGB operatives were often identified by skimming trade journals for expert names, checking trade conferences attendees or were approached out of the blue on university campuses.

07

FROM PURISTS TO PROFITEERS: THE CYBERCRIME FOOD CHAIN
Perpetrators of cybercrime today range from the amateurs with limited programming skills who rely on pre-packaged scripts to execute their attacks, right through to the well-trained professional criminals who are armed with all the latest resources.

THE INNOVATORS
Who? Focused individuals who devote their time to finding security holes in systems or exploring new environments to see if they are suitable for malicious code Why? The Challenge How? Embrace the challenge of overcoming existing protection measures and seek to break in through the back door

Danger Rating: Low
These purists, the ‘elite threat authors’, only make up 2% of the hacking and malware author population

THE AMATEUR FAME SEEKERS
Who? Novices of the game with limited computing capabilities and programming skills Why? Hungry mainly for media attention How? Use ready-made tools and tricks

THE COPY-CATTERS
Who? Would-be hackers and malware authors Why? The celebrity status of the cybercrime community has prompted an upsurge of those desperate to replicate their formulae for fame How? Less focused on developing something new and more interested in recreating simple attacks

Danger Rating: Moderate
Threat lies in the unleashing of attacks without really understanding how they work

Danger Rating: Moderate

THE INSIDERS
Who? Disgruntled or ex-employees, contractors and consultants Why? Revenge or petty theft How? Take advantage of inadequate security, aided by the privileges given to their positions within the workplace

Danger Rating: High
This group is a growing and serious security problem

THE ORGANISED CYBER-GANGSTERS
Who? Highly motivated, highly organised, real-world cyber-crooks Limited in number but limitless in power Why? Intent on breaching vulnerable computers to reap the rewards How? Like in most communities of successful criminals, at the centre is a tight core of masterminds who concentrate on profiteering by whichever means possible – but surrounding themselves with the human and computer resources to make that happen

Danger Rating: High

08

SECTION ONE
CYBERCRIME: A NEW GENERATION OF CRIMINALS

PROFILE OF A DRUG-COURIER: NAME:
Scott Rush

PROFILE OF A BOTNET AUTHOR: NAME:
Jeanson James Ancheta

AGE:
19

AGE:
20

COMPARISONS BETWEEN REAL WORLD YOUNG OFFENDERS AND CYBERCRIMINALS
Criminals are exploiting the fact that the cyber-world represents a vast domain of global opportunity with virtually no barriers and little risk of detection and punishment. A US Treasury advisor has stated that more money is now made from cybercrime than from 6 the traditionally high revenue-yielding drugs industry. Whilst law enforcement agencies are working hard to combat the cybercrime threat, in the opportunity versus risk versus reward ratio, online crime is currently proving more appealing to serious criminals than traditional organised crime.

MOTIVE:
Money

METHODS:
Drug trafficking. Caught couriering heroin from Australia to Bali

MOTIVE:
Money

METHODS:
Used trojan horse to infect and control computers before selling to adware, spyware and spam companies

REWARD:
1.3kg of heroin with a street value of $1m

RISKS AND PUNISHMENTS:
Also on charges of fraud, theft and drink-driving, Scott was sentenced to life imprisonment. On appeal this was upgraded to the death sentence.

REWARD:
$0.15 per install $3,000 per botnet $60,000 in 6 months and over $170,000 in total

RISKS AND PUNISHMENTS:
James was the first botnet author ever to sentenced, in May 2006. He got four years in prison.

09

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

Online crime has changed dramatically in recent years. The previously common and global virus events are now all but a thing of the past. In the first half of 2004, 31 virus outbreaks were rated medium and above. The second half of 2004 saw 17 more. That number fell to 12 for the whole of 2005 and in 2006 there have been no outbreaks of comparative severity. The focus has turned towards altogether stealthier and more targeted means of attack. Cybercriminals are refining their means of deceit and the victims they are targeting. Evolving their techniques and targets allows them to stay one step ahead of detection.

FROM BEDROOM LONERS TO CAFE CRIMINALS
The stereotypical view of lone cybercriminals operating out of their bedrooms is no longer a valid one. Nowadays, they are to be found right in the public eye. But rather than opening themselves up for discovery they are covering themselves with an invisible cloak. Hackers and malware authors traditionally worked from the hidden depths of their homes because they needed access to a telephone line for modem-tomodem communications. But the Internet, its popularity and its pervasiveness, has changed all that. They can access the Internet in a cybercafé, university, library, telephone kiosk, from a PDA or mobile phone – or even by stealing bandwidth from any unprotected Wi-Fi network that they happen to be parked near to. By using the Internet in a public place, cybercriminals maintain crucial anonymity and avoid detection. Many Internet cafes clean their computers by automatically rebooting the machines and wiping all non-standard files between each customer. Anonymity is key and tracks are more easily covered from a public location.

KEY TRENDS OVER THE PAST YEAR INCLUDE:
• Moving away from bedrooms and into public places to avoid detection • Exploiting the new online social networking explosion • Targeting identities by employing new techniques such as spear phishing • Targeting new technologies – mobile phones and devices • Targeting individuals and small businesses • Criminal collaboration and the creation of malware mafia families

COVERT COMMUNICATIONS IN PUBLIC SPACES
Following the explosions in London on 7th July 2005, the National Hi-Tech Crime Unit (NHTCU) contacted JANET, the Joint Academic Network, which connects UK universities, colleges and schools. The NHTCU suspected that the terrorists used a telecommunications system in the planning and execution of their attack, and that universities may have information on their networks that could assist in its investigations. The NHTCU requested that all data be preserved.

10

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

SOCIAL NETWORKING: HOW CRIMINALS ARE TARGETING THE WEB’S SOCIAL NETWORKING EXPLOSION
Since its beginning, the web has often been used as a tool to meet new people, but over the last year the interaction between Internet users has grown dramatically. Web 2.0, or the Internet model where content is created and shared, has given birth to some of the most popular websites the Internet has ever seen. Sites like MySpace, Bebo, Friendster, Facebook and LinkedIn (a site used for business networking) have fuelled the social networking trend. It’s a hugely powerful medium and people are just starting to grasp how effective it can be to link with friends, or potential business associates. By their very nature, these sites are vulnerable to misappropriation. There is a false economy of trust. People don’t present personal information to strangers in the street, but building profiles online mean that Internet criminals can instantly access a mine of details – names and interests, pets and life stories. All of which help them to either take those identities directly to defraud, or understand personalities to better and more effectively target phishing or adware scams. The inclusion of music on MySpace has been one of the biggest reasons for the site’s success. Unknown bands have demonstrated that social networking sites can be an effective way of promoting themselves. Artists like Lilly Allen and Arctic Monkeys have used MySpace as a springboard.

But this also presents the perfect opportunity for criminals to embed spyware and adware within downloads, capable of compromising PCs, tracking online behaviour or directing users to inappropriate content. Whole profiles can be developed for illegal purposes.

SOCIALLY UNACCEPTABLE – SCAMS ON MYSPACE
In October 2005, the Samy worm was discovered on popular community site MySpace.com. By exploiting vulnerabilities in the MySpace.com site, the worm added a million users to the author’s friends list. Additionally, the malicious code would be copied into the victim’s profile, so that when that person’s profile was viewed, the infection spread. In summer 2006, a banner ad on MySpace compromised almost 1.1 million computers. When users opened the image, the hacker was given access to the infected PC. The spyware installation program contacted a Russian-language web server in Turkey that tracked the PCs on which the programme had been installed. The ad also attempted to infect users of Webshots.com, a photo-sharing site. MySpace was also subject to a phishing scam in 2006. The attack started when users were sent a link through an instant messaging program. The link was from someone in their contact lists, asking them to click the link to MySpace to view photos. The link led to a fraudulent MySpace login page. Once the victim entered their information, they were then transparently logged into the real MySpace pages. But in the meantime, all their log-in information become the property of the phisher.

SOCIAL ENGINEERING IN PUBLIC COMMUNITY SITES
Just like with social networking sites like MySpace, the very openness of Wikipedia that allows users to freely add or edit available content has made it an attractive target for virus authors to plant malicious code in articles. In October 2006, a piece on the German edition of Wikipedia was re-written to contain false information about a supposedly new version of the infamous Blaster worm, along with a link to a supposed fix. In reality, the link pointed to malware designed to infect Windows PCs. An email was also mass spammed to German computer users requesting them to download the security fix. The email was crafted to supposedly appear from Wikipedia, complete with an official Wikipedia logo.

11

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

CONTEMPORARY SCAMS: HOW CRIMINALS ARE TRICKING PEOPLE BY TOPICAL CROWD PLEASERS
Popular national and international news and sports events draw in the crowds – but now they attract the cybercriminals too. Whether it’s via viral marketing, or just plain viruses, a topical subject header, website link or download is capable of reaping in the rewards. The 2006 World Cup generated exactly this sort of criminal opportunity. Popular with millions worldwide, fans hunger for information proved insatiable. Viruses using related messaging circulated fast and furious; and thousands frantically downloaded score spreadsheets and screensavers giving criminals almost instant and unsuspected presence on hundreds of thousands of computers.

An analysis of screensaver pages associated with the World Cup found that a high proportion of sites were loaded with adware, spyware and malicious downloads. Among the teams, Angola (24%), Brazil (17.2%) and Portugal (16.2%) rated especially highly, while among the players, superstars Cristiano Ronaldo of Portugal, David Beckham of England and Ronaldinho of Brazil posed a significant danger to fans.

IDENTITY THEFT: STEALING PERSONAL INFORMATION TO DEFRAUD
There has been a dramatic increase in the collection methods used by criminals to steal personal identifier information.

WORLD CUP WOES – CRIMINALS 3: CONSUMERS: 0
Virus writers got themselves into a football frenzy unleashing attacks attempting to cash in on sports supporters. In May 2006, a trojan horse which disguised itself as a World Cup wallchart was distributed by spam email. It specifically targeted German speakers. Another virus attack infected Microsoft Excel files cloaking itself as a spreadsheet charting the national teams participating in the World Cup.

“Victims of identity theft-related malware lose ALL of their personal privacy and there is a high probability they also lose substantial amounts of money. They might even be involuntarily involved in criminal acts through misuse of their identity.”
Christoph Fischer, General Manager of BFK edv-consulting GmbH

12

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

KEYLOGGING
Hackers use keylogger programs to silently collect keystrokes from unsuspecting victims whose use of online chat rooms and instant messaging type programs makes them vulnerable. On activation, the hacker can collect any information that the user has inputted online, including personal data used in online transactions. A large proportion of this data is transmitted internationally to countries where it is difficult for the law to intervene. The perpetrator then uses that information to assume an identity and gain access to credit card accounts.

CASH FROM TRASH
Cybercriminals are also cashing in with simpler tricks. People often have little realisation of the value of the information they just throw away. Criminals have sought out confidential information by riffling through rubbish. Now cybercriminals have realised that when computers are dumped or resold, more often that not, they still contain a wealth of files and data that can be used for financial gain or deception.

CASE STUDY: THROWING AWAY CONFIDENTIAL INFORMATION
In April 2005, a hard drive of the police of Brandenburg, Germany, showed up on eBay. Confidential police documents like internal alarm plans for extreme situations like hijacking and hostage-taking were fully accessible. There were also lists of names on the hard drive showing the manning of crisis management groups, lay-outs, orders and analytics: information which could be very useful on a number of criminal levels, not least for terrorists.

According to the FBI: “Identity theft costs American businesses and consumers a reported $50 billion a year, causes untold headaches for an estimated 10 million US victims annually, and even makes it easier for terrorists and spies to launch attacks against our 1 nation.” As a result, in June 2006, the FBI joined corporate, academic, and government leaders in announcing a new Center for Identity Management and Information Protection (CIMIP) to combat the increasing threat that identity fraud and theft pose to personal and national security.

13

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET

MIND GAMES: HOW CRIMINALS ARE EMPLOYING INCREASINGLY DEVIOUS MEANS TO TRICK PEOPLE INTO HANDING OVER MONEY AND INFORMATION
While cybercriminals continue to churn out attacks on larger institutions and en masse hits, the majority have turned to subtler and more effective methods which introduce the mind games and social engineering techniques that unravel not only chunks of data but entire identities.

and American financial institutions, and the targets are changing almost daily.

“While virus and worm epidemics have been reduced – mostly as a consequence of improved tools for detection and removal – phishing and pharming have become predominant means of attacks, especially targeting banks.”
Professor Klaus Brunnstein, University of Hamburg

PHISHING FACTS
• 17,000 phishing reports per month in 2006 • 40% in non-English language
3 2

• 90% of people still don’t recognise well4 constructed phish Phishing - the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft – is on the rise. But the nature of phishing attacks isconstantly changing. Over the last year, McAfee has seen phishing emails increase by approximately 25%. Fraudsters continue to target the high profile banks, financial institutions and e-commerce sites that they always have done but increasingly they are changing the content of the phishing mails away from the ‘update your details now’ scams to a more varied and directed message. In addition to attacking these well known companies, fraudsters are increasingly targeting smaller European

The e-commerce phish has also become more directed. Much of the phish targeting popular online auction sites appear as if they have been sent from another user rather than from the auction site. For example, many of the phish nowadays are fake messages claiming that you bought an item and have not paid, or the other user has raised a dispute against you, or is enquiring about an item for sale. In February 2006, the various ‘update your account information’ phish accounted for 90% of the ebay phish, and 10% were other types. Now it is less than 50%. A less high-profile attack comes with the growing number of spear-phishing messages. These look like they have come from employers or colleagues who might feasibly send IT communications and include requests for user names or passwords. But the real truth is that the email sender information has been spoofed in an attempt to gain access to a company’s entire computer system.

14

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET
UPDATING OLD TRICKS – SPAM BECOMES PICTURE PERFECT
Spam continues to remain one of the biggest challenges facing Internet consumers, corporations, and service providers today - with the cost of spam impacting bandwidth, delayed email, and employee productivity. Spammers continue to employ new tricks to avoid detection and open up new streams of revenue. Image spam has been significantly increasing and now many varieties of spam - typically pump and dump stocks, pharmacy and degree spam - are now sent as images rather than text. In October 2006, image spam accounted for up to 40% of the total spam received, compared to about 10% a year ago. Image spam is typically three times the size of text-based spam, so this represents a significant increase in the bandwidth used by spam messages. Traditionally, spammers have also used well-known top level domains (TLDs) such as .com, .biz or .info. But now, by using top level domains from small island countries, such as .im from the Isle of Man in the UK, spammers attempt to avoid detection by using domains previously unknown to spam filters. This trend has been nicknamed ‘spam island-hopping’.

MOBILE THREATS: HOW CRIMINALS ARE EXPLOITING NEW TECHNOLOGY
“SMiShing” (phishing via SMS), is a recent phenomenon that takes the concept and techniques of phishing via email and translates it to text messages. Episodes of this activity have been minimal to date but the nature of current attacks suggests that much of it has been authored by script kiddies looking to take new code to standard execution. Now SMiShing has become part of the cybercrime toolkit, there will be a considerable rise in attempts over the coming months. As we become more reliant on our personal mobile devices outside of the home and office, SMiShing stands as a clear indicator that cell phones and mobile devices will increasingly be used by perpetrators of malware, viruses and scams.

CASE STUDY: SMISHING
August 2006 saw the first example of a threat moving from the PC environment into the mobile space with an attack that started as a simple mass mailing worm but was then turned into a SMiShing attack. The threat targeted two major mobile phone operators in Spain, sending SMiSh messages free of charge via randomly generated mobile phone numbers through the operators’ email-to-SMS service gateway and specifically targeting Nokia Series 60 devices. It attempted to trick the victim into downloading free ‘anti-virus software’ from the operator. Users that downloaded and installed the software from the link found themselves infected with malware. Most of the code was in Spanish with some German comments, illustrating that cybercrime knows no borders.

15

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET
GLOBAL BOTNET ARMIES HOW HOME USERS ARE BECOMING A FAVOURITE TARGET FOR CRIMINALS
In the 2005 McAfee Virtual Criminology Report it was revealed how there had been a massive increase in extortion demands primarily targeting businesses reliant on the Internet for their business. Using thousands of computers around the world that were infected with malicious code, the report revealed how criminals were able to marshal botnets to bombard corporate websites blocking all genuine transactions and communities – also known as a distributed denial-of-service attack (DDoS). The report highlighted how criminals had targeted online gambling sites given the volume of transactions purely online. Botnets – the jargon term for a collection of software robots, or bots, which run autonomously.

BOTNET FACTS
• IRC BOTS grown from 3% – 22% of all malware (2004 – 2006) • Costs of protection can be more than ransom costs

PERSONALLY HELD TO RANSOM
In May 2006, Helen Barrow, a 40-year-old nurse from Rochdale in the UK, discovered her computer files had vanished and had been replaced by one 30 digit password -protected folder. She also found a new file named “instructions on how to get your files back.” On opening it, Ms. Barrow was told that the password to unlock the encrypted folder containing her files would be provided following a payment for drugs from an online pharmacy. Ms Barrow contacted police and an IT expert who managed to recover some of her files, which included coursework for her nursing degree. “When I realised what had happened, I just felt sick to the core,” Helen said. ”…I had lots of family photographs and personal letters on the computer and to think that other people could have been looking at them was awful.” Thankfully, the password for this particular attack was made widely available by security firms, but the underlying trend is worrying.

“By far the major emerging threats are Botnets and we are also seeing more sophisticated malicious code. For example, some malware has the ability to deploy keystroke-loggers, harvest stored passwords and take screen captures of infected hosts. These techniques can enable criminals to obtain full identity profiles from victims as well as being able to potentially access their financial and personal data.”
Robert Burls MSc, Detective Constable, Metropolitan Police Computer Crime Unit

In 2005, the OCLCTIC (Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication) investigated 48% more business-related crimes than in the previous year. The number of people accused and prosecuted increased by 30%. The increase in crime investigations can be explained partly by the rise in the number of criminal activities 5 such as blackmail, racism and extortion. Today this kind of extortion and distributed denial-ofservice (DDoS) attack using botnets are being used by criminals on home pc users. Online blackmailers are increasingly looking towards the easy pickings of the relatively non-savvy home pc user. With consumers storing more and more documents of financial and sensitive value (banking details, work files) as well as sentimental value (photos and music) criminals have realised that they will pay up to have them restored.

In the 2005 McAfee Virtual Criminology Report it was revealed how botnets were becoming the method of choice for criminals. Organised crime gangs were hiring script kiddies to deploy a large number of asymmetric threats simultaneously on a business via its website. As predicted last year, there has been a significant increase in botnets and they are now the preferred weapon of choice for cyber criminals, used for phishing schemes, illegal spamming, stealing passwords and identities and spreading pornography. At least 12 million computers around the world are now compromised by botnets.

16

SECTION TWO
HI-TECH CRIME: HOW ORGANISED CRIME IS PROFITING FROM THE INTERNET
CASE STUDY: THE INTERNATIONAL BATTLE AGAINST BOTNETS CRIMINAL COLLABORATION & MALWARE MAFIA FAMILIES OPEN SOURCE TECHNIQUES
The growth of bots is due to two factors - financial motivation and the availability of source code. Without financial incentives, there would be far fewer variants. For example, the financially neutral Mydoom family has far fewer variants than any major bot family. And without large-scale source-code sharing, we would not see the handful of massive families that are evident today. Bot authors are increasingly using open source development techniques, such as multiple contributors, releases driven by bug fixes, paid feature modifications, and module reuse. A virus or Trojan is usually written by a single author who has complete control of the features and timing of the release updates. Bots, however, are different. Most bots are written by multiple authors. The use of a professional development methodology represents a critical change in malware evolution. This form of collaboration is expected to make botnets more robust and reliable - and being able to offer customers a guaranteed ROI will cause the bot and overall malware market to grow explosively within the next few years. Bots will continue to push the malware engineering envelope.

ADWARE AFFILIATIONS AND FAMILIES ADWARE FACTS
• All major search engines return risky sites when searching for popular keywords • Between 2000 and 2002, there were only about ten adware families. By May 2006, there were more than 700 adware families with more than 6,000 variants • The most prolific distributors of adware are actually star/celebrity sites, not the commonly believed adult and pornography websites Spyware and adware are usually made and marketed by legitimate corporate entities for specific advertising and market research purposes. They install themselves on a user’s machine, often as the trade-off for a piece of “free” software, collecting marketing data and distributing targeted advertising. However, the emergence of lucrative online affiliate marketing models, whereby advertisers share revenue with other websites which feature ads and content designed to drive traffic to the advertiser’s site, has opened up new opportunities. Hackers are abusing the system by fraudulently taking money as an affiliate, then hacking into computers without the permission of the computer owner. By varying the download times and rates of adware installations, as well as by redirecting the compromised computers between various servers, hackers can evade the frauddetection of the advertising affiliate companies who pay them for every install. A 63-year-old man in Suffolk, a 28-year-old man in Scotland, and a 19-year-old man in Finland were arrested on June 27, 2006 in connection with an international conspiracy to infect computers using botnets. The Metropolitan Computer Crime Unit, the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department collaborated to arrest the men, who are all suspected of being members of the M00P cybercriminal gang.

CASE STUDY: HACKER MARKETING
Majy, a hacker, was paid $0.20 per install on computers in the US and $0.05 per install on computers in 16 other countries including France, Germany and the UK. He received income from a host of affiliate-marketing companies including TopConverting, GammaCash and LOUDcash. Adware distribution is also a key example of just how inter-related cybercriminals are in today’s world. The vast majority of adware and spyware is thought to be the result of one large, distributed but connected organisation. Undercover criminal operations have seen many adware-distributing companies often mutually linked by agreements with varying degrees of secrecy and some sites regularly change names, which means that money generated is high whilst detection is virtually impossible.

17

SECTION THREE
THE INSIDERS: THE NEW THREAT TO CORPORATES
INSIDE THREATS
Criminals cannot operate without opportunity. The fast evolution of technology and the struggle of consumers and businesses to stay in step with the risks mean their prospects and profits are growing at a rapid pace. In terms of corporate IT security worries, top of the list right now is spyware as well as data theft using devices such as USB sticks. Viruses, firewalls and spam are, to a large extent, understood and under control. But detecting spyware centrally, and controlling the use of USB sticks, is a real worry to companies both large and small, from a theft and confidentiality point of view. Most companies view security threats from an outsidein perspective. There are, however, significant emerging threats to security that are not being introduced from external, unknown sources, but from employees themselves. Employee ignorance and negligence within the workplace is opening up cracks for cybercriminals to exploit. Lack of security attention and awareness by employees means there is a high risk of malware, viruses, worms and Trojans being spread to the work network. It only takes seconds for an employee to attach an unprotected laptop or PDA to the work network and seriously expose the whole environment to infection. Few have any idea that their company laptop may not have the latest security updates. Workers are also bypassing their company security procedures by attaching their own devices, such as iPods, USB sticks and digital cameras.

“One of the biggest challenges of today’s data-rich world is making the most of technology. Technology provides an opportunity for offenders and also an opportunity for crime prevention. I have great faith in the technology but much less faith in humans in being able to use it properly.”
Professor Martin Gill - Director of Perpetuity Research and Consultancy International and a Professor of Criminology at the University of Leicester

INSIDER FACTS
• Nearly a quarter of European professional workers connect their own devices or gadgets to the company network every day • Nearly a quarter of European workers use their work laptop to access the internet at home • A staggering 42% of Italian workers let family and friends use work laptops and computers to access the internet • One in five Spanish workers download content inappropriate content while at work

18

SECTION THREE
THE INSIDERS: THE NEW THREAT TO CORPORATES

DATA LEAKAGE
A key threat for companies is the ease of which data and information can be taken out of the company. Criminals are realising that unsecured removable media devices such as USB sticks provide an easy means of carrying confidential and financially valuable information out of the workplace. Criminals are actively targeting employees or sponsoring under graduates. An insider puts a wealth of information in their hands, easily transferred and virtually undetectable. They then hold the stolen data for ransom or sell it to the highest bidder. This threat is set to worsen with the emergence of U3 sticks - if they are not secured. These new generation devices can be booted from more easily and can carry installed applications that can be run directly from the stick, meaning that essentially it is possible to have your entire PC in your hand – or someone else’s. remotely access computers and execute code for instant access to information.

“We believe that targeted attacks will continue to grow in number, both for businesses and governments (industrial and political espionage). We’re seeing office applications combined with social engineering techniques being used as vectors in these.”
Erik de Jong, Project Manager Govcert.NL

CONFIDENTIAL AND COMPACT INFORMATION TRANSFER
In 2006, an almost full 1GB flash drive of classified US Military information was apparently lost and later sold at an Afghani bazaar outside a US air base. The flash memory drive, which a teenager sold for $40, held scores of military documents marked secret, describing intelligence-gathering methods and information — including escape routes into Pakistan and the location of a suspected safe house there, and the payment of $50 bounties for each Taliban or Al Qaeda fighter apprehended based on the source’s intelligence.

CORPORATE ESPIONAGE:
Corporate espionage is big business. Data is often priceless property and can mean the make or break of a company. Stealing trade secrets – information or contacts - is a lucrative money-spinner for cybercriminals. As well as exploiting data leakage via new technologies and devices, criminals are finding new ways to use keylogger programs to get passwords, read email and keep track of a user activity. Spyware writers are also using Trojans to

19

SECTION FOUR
FUTURE CHALLENGES
technology and research progressing to build computers and laptops at ultra low-cost, the incentives to put those measures in place will likely be increasingly overlooked, providing easy targets for cybercriminals to profit from identities and information stored.

“As long as client/server systems and basic Internet methods remain inherently insecure, there is no hope for a reduction in criminal activity.”
Professor Klaus Brunnstein, University of Hamburg

The growing ingenuity of cybercriminals is a serious challenge for consumers, businesses and law enforcement organisations. Like hackers, organised criminals are looking for the next new opportunity to exploit. A lot of work is being done to educate users, focusing on increasing awareness and encouraging them to not be duped into revealing personal information such as passwords. As broadband usage becomes ubiquitous, always connected means users are always at risk. As credit chip and pin becomes the standard, criminals will look to ways it can fraudulently make money from transactions online. The Internet is now common place for organised crime gangs. McAfee believes the following are key IT security trends for businesses and consumers to be aware of in the next 12 months:

RISING THREATS TO MOBILE DEVICES
Mobile devices present a serious challenge to data security, with the growing power of connectivity, the increasing volume of data stored on them and the enormous potential to infect both personal and enterprise networks. The growth of malware targeting mobile telephony is an area for concern. The numbers are still small at around 300 and rates of growth are often exaggerated, but there can be no denying that this figure will grow. Examples of financially motivated mobile malware have already been seen and when the phone becomes the standard means to transfer money, the attack rates will explode. Additionally, modern mobile phones (smartphones) are in essence miniature, portable computers–and they bring with them all the same associated risks as the technology matures: viruses, spam, phishing (or SMiShing), and people stealing data from lost, stolen, recycled, or resold devices. Highlighted previously in this report were the risks of data leakage and identity theft via not wiping files effectively before disposing of a computer, but the same holds true of today’s mobiles which contain contacts, photos, emails and confidential files or information. Data leakage or theft has already been seen on live devices too.

AVAILABILITY OF LOW-COST PCS
Unprotected or under-protected computers are the new currency of organised crime. Most companies or consumers who understand the value of the growing content on their computers will take some preventative measures to ensure that it is protected from prying eyes, loss or theft. But with advances in

20

SECTION FOUR
FUTURE CHALLENGES

Smartphone sales have increased by 75.5% in the last year to 37.4 million units, and will grow by a further 1 66% during 2006. The growing prevalence of the multifunctional mobile in today’s society and which we hold as a natural lifestyle accessory which we effectively connect with - even more so than a computer – guarantees them a very real target for identity and data cyber-thieves.

personal information is on show and available for those identity thieves looking to build up their pseudo-profiles. Additionally, consumers who use web-based services like loglines or Web browsers such as Firefox to view news feeds and blogs are vulnerable to embedded malicious code that can install spyware, log keywords and passwords and scan networks and PCs for open ports.

EXPLOITATION OF INTERNET PHONE CALLS
Total VoIP subscribers are projected to grow from 16 2 million in 2005 to over 55 million in 2009 worldwide. The introduction of VoIP on enterprise networks in the absence of appropriate security measures will introduce another entry point for attackers to exploit – the next generation of phone hacking.

GROWTH OF MULTIMEDIA DEVICES
The integration of technology brings integrated risk. This risk is heightened by the fact that the vast majority of users fail to understand the full functionality and capabilities of technologies, and do not appreciate or protect themselves against the security threats.

SUBTLE INFECTION VIA SOCIAL NETWORKING SUCH AS BLOGGING
Businesses and individuals alike have been creating and reading blogs increasingly over the last 12 months and this too presents associated risks. Millions of young people post online diaries that are often open to anyone that is surfing the web, meaning that

21

THE CYBERCRIME EXPERTS AND LAW ENFORCEMENT AGENCIES:
US: FBI CYBER DIVISION
The FBI’s cyber mission is four-fold: first and foremost, to stop those behind the most serious computer intrusions and the spread of malicious code; second, to identify and thwart online sexual predators who use the Internet to meet and exploit children and to produce, share, or possess child pornography; third, to counteract operations that target US intellectual property, endangering national security and competitiveness; and fourth, to dismantle national and transnational organized criminal enterprises engaging in Internet fraud. Board, an overseas representative on the ASIS International Academic Programs Committee and the ASIS International Security Body of Knowledge Task Force. With PRCI colleagues he is currently involved with a range of projects related to different aspects of crime in organisations and private security, this includes shop theft, frauds, staff dishonesty, burglary reduction, robbery, the effectiveness of security measures, money laundering, policing, violence at work, to name but a few.

NETHERLANDS: GOVCERT.NL
GOVCERT.NL is the Computer Emergency Response Team for the Dutch Government. Initiated by the Ministry of the Interior and Kingdom Relations and officially operational since June 5, 2002, it supports the government in preventing and dealing with ICTrelated security incidents GOVCERT.NL works independent of suppliers as a government organization, and are part of ICTU, the Dutch organization for information and communication technology in the public sector.

UK: METROPOLITAN POLICE COMPUTER CRIME UNIT
The Computer Crime Unit is a centre of excellence in regard to computer and cyber crime committed under the Computer Misuse Act 1990, notably hacking, maliciously creating and spreading viruses and counterfeit software. The unit provides a computer forensic duty officer and offers computer evidence retrieval advice to officers.

GERMANY: PROFESSOR KLAUS BRUNNSTEIN Professor of Information Technology at the University of Hamburg
Professor Brunnstein is President of the council of the “Notfall-Rechenzentrums für Großrechner in Banken, Versicherungen und Industrie” in Hamburg, a role he has held since 1983. His areas of speciality are data protection, IT Security and computer viruses. Previously, Professor Brunnstein was a member of the chairmanship of GI (Gesellschaft für Informatik) from 1996 until 2001 and currently still holds the role of President of the International Federation for Information Processing (IFIP).

PROFESSOR MARTIN GILL: Director of Perpetuity Research and Consultancy International and a Professor of Criminology at the University of Leicester
Professor Martin Gill has published over 100 journal and magazine articles and 11 books including Commercial Robbery, CCTV, and Managing Security. He is co-editor of the Security Journal and founding editor of Risk Management: an International Journal. Martin Gill is a Fellow of The Security Institute, a member of the Risk and Security Management Forum, the Security Guild (and therefore a Freeman of the City of London), the ASIS International Foundation

CHRISTOPH FISCHER: General Manager of BFK edv-consulting GmbH
Christoph Fischer is the general manager of BFK edv-consulting GmbH. He has more than 20 years of experience in the IT Security area, specialising in creating and testing security concepts. He is also a member of the following organisations: EICAR, FIRST, Cybercop Forum and EECTF. Christoph Fischer studied at the University of Karlsruhe (TH).

22

REFERENCES
SECTION ONE
1

Source: Robert Schifreen, author of Defeating the Hacker, derived from online research June-September 2006

2

In an interview with Tom Zeller Jr. of the New York Times: http://www.nytimes.com/2006/07/04/us/04identity.html?pagewanted=3&ei=5088&en=18bc230a1ae1ba06&ex=1309665600&adxnnl=0&p artner=rssnyt&emc=rss&adxnnlx=1162985316-o1mmMf67Bb0R8vQ8wCG6QQ
3

Source: Robert Schifreen, author of Defeating the Hacker, derived from online research June-September 2006

4

Source: Article on Stasi Recruits by Jamie Dettmer: http://findarticles.com/p/articles/mi_m1571/is_38_15/ai_56904965 (Accessed 17 July 2006)
5

In an interview with computer scientist Marcus Rogers of John Jay College, New York: http://www.newscientisttech.com/article.ns?id=dn9619&feedId=online-news_rss20. (Accessed 28 July 2006)
6

In an interview with Valerie McNiven, advisor to the US government on cybercrime: http://www.theregister.co.uk/2005/11/29/cybercrime/ (Accessed 4 June 2006) SECTION TWO
1

Figures taken from the FBI website: http://www.fbi.gov/page2/june06/cimip062806.htm (Accessed 4 July 2006) Figures from Secure Computing Research cited in: http://www.securecomputing.com/index.cfm?skey=1634 (Accessed October 2006) Figures taken from an RSA Security report cited in: http://www.rsasecurity.com/press_release.asp?doc_id=6877&id=2682 (Accessed June 2006)

2

3

4

Figures taken from a Harvard University and the University of California study: http://www.computerworld.com.au/index.php/index.php?id=217996450 (Accessed September 2006) An extract of an article entitled “Les chiffres de la cybercriminalité en France” by Francois Paget, Senior Virus Research Engineer, McAfee Avert Labs. September 2006. SECTION FOUR
1 5

Taken from Gartner statistics reported in the media in October 2006: http://news.com.com/Smart-phone+sales+are+soaring/21001041_3-6124049.html
2

In Stat prediction figures: http://www.instat.com/newmk.asp?ID=1566

23