Today, we tend to conflate cyber crime with cyber espionage and cyber warfare. We call all of them attacks, and this confuses an issue that is already complicated and hard to understand. Cyber crime is basically a commercial endeavor, designed to make money. The others are intended to gain advantage or cause mischief. What are some examples of cyber crime?
Probably the category most widely understood is the theft of personal information. This could be credit card data or individual bank account information. These are harvested by several means. It could be that someone simply writes down your card information in a restaurant, or they could actually trick you into giving it to them with a fake e-mail from your bank. It could be low tech or highly sophisticated. One ring had a technique called “memory scrapers” that captures your bank info during the micro seconds it was decrypted inside the bank system’s computer. Regardless of how they get it, the bad guys take your information and either exploit it themselves by taking your money, or they sell the information to others who exploit it.
In the world of online commerce, there are numerous ways for criminals to take advantage of people and vendors. They can “follow” you to vendors, and when you buy something legitimate, they convince the company that they referred you, thus gaining an unearned commission. They can use your personal info to buy things you never wanted, sending purchases to themselves.
They can send ads to users who would otherwise not get them. These “companies” sell cheap ads to legitimate merchants, and pay them regardless of how their advertisements got on the target’s computer screen. They only care that the target has “clicked” on the ad. This is taken further when the adware company creates fraudulent clicks and charges the merchant. They can also cause bots to click on competitors’ advertisements. Since they pay by the click, you can eat up a competitor’s budget, and they get nothing for it.
They can break into a computer or network, encrypt data, and hold it for ransom. The owner has no choice but to pay or lose access to his data. This is a lower-end variation of the SCADA attacks in Latin America where hackers took control of utilities’ control systems and demanded payment to not close them down. A good hacker can take over a modem in a computer and cause it to dial premium 1-900 numbers. This can cause embarrassment and possibly cost you lots of money.
If a bad guy has control of many computers, he can make lots of money. The bigger your botnet, the more clicks you can generate, the more spam you can send, the more ads you can distribute. Big bots are also harder to pinpoint and shut down.
All of this becomes more attractive to criminals because it has numerous advantages. It is relatively cheap to execute. It is physically safe (security guards don’t shoot cyber criminals). It is difficult to detect and harder to attribute to individuals. And lastly, it is hardly ever prosecuted. Clearly some cyber criminals are caught and sent to jail, but compared to the number of people who play at cyber crime, it is a drop in the bucket.
The American public is blissfully unconcerned by cyber crime. For the most part, companies cover our losses, and unless we have been personally hit by identity theft, we all assume it will not happen to us. That is either naive or arrogant. It is likely that you (and I) will become a victim of cyber crime this year, even if we are careful. We can lessen the risk, but without awareness, we will do little that helps.
We desperately need education, information and action to help combat cyber crime.