A recent presentation by Special Agent Johnny Starrunner of the FBI at the NYS Cyber Conference in Albany was enlightening and frightening. To be honest, I have heard most of it before, but getting it all at once, from a front line guy fighting this war, drove it home. If we do not get hold of this threat, we are in deep trouble.

Cyber Crime comes in lots of flavors. It is diverse, sophisticated and expanding everyday.  It includes Internet fraud, online banking fraud, a highly developed cyber underground, a growing number of targeted areas, and the “advanced persistent threat,” a term that until recently was classified.

It is almost impossible to accurately determine the “cost” of cyber crime. It is not just the dollars that must now be listed as losses but goes much wider. Reputations tarnished or destroyed are difficult to price. Additionally, many times we are dealing with unreported or under reported events. To give you at least an order of magnitude idea, the very conservative cost we know for the staggering 336,000 reported complaints in 2009 was $559.7 million – nearly double the numbers recorded in 2008. This does not include the loss of “pure” intellectual property, which is difficult to value accurately. Add that in and the numbers skyrocket.

Internet fraud (IF) is the best known form of cyber crime; it includes scams of all sorts.  These have been tied to recent disasters (Haiti, tornados, the Gulf spill), electronic income taxes (give us your info, we’ll file for you), stimulus check collection and on line auctions – nearly anything that might convince the unwary to reveal personal information to the scammers. Many of these are crude but many are highly sophisticated and polished.  Cyber criminals sometimes blast it out to anyone and everyone, but often, they are highly targeted and specific. The profit is potentially so big that the bad guys are highly motivated.

Online Banking Fraud (OBF) is more specific and aimed at bigger fish. These may start with attempts to steal individual information, but they are really desirous of stealing credentials, the higher the better, through malware or scams. They then use them for transactions all under $10,000 to keep it under the radar. They sometimes make false cards or simply do electronic transactions directly with the data. They can raise credit limits (it seems to be easier for them to do than for legitimate customers!), and then begin to transfer funds to “money mules.” These are individuals who work from home in online jobs. These folks then send the money on to overseas recipients. The main methods used to place malware for this sort of crime are the ZeuS Trojan, Clampi, and Bugat Trojan, according to Starrunner.

The Cyber Underground began as a completely decentralized activity but now operates like a corporation; it is transnational, very efficient and very evolved. They have huge numbers of the most talented cyber practitioners in the world working for them everyday.  The compensation is lucrative, and the crime is relatively safe. They also reach out to unskilled folks and recruit them into the market. They use them for various low-level tasks, and test them to see if they have skills worth developing.

The underground is agile and adaptable. They move fast, and once a vulnerability is identified, within days they can pull off huge operations. They find an opening, develop the exploit that will allow them to grab as much useful data as possible in a short period, emplace it, and use it to extract the information they need. They use this to makes false cards, often with elevated account limits, then use them to pull lots of money out in near simultaneous transactions in multiple cities (and/or countries) using mules world wide.  The last step in the operation is for the mules to send on the profits (minus their agreed upon commission) to the underground.

Another speaker at the NYS Cyber Conference described an operation where the bad guys replaced the self check out machines in 67 stores of a major supermarket chain, and for weeks harvested all credit card data from customers who used the machines. There were five to seven machines in each store, times 67, times “weeks” – you do the math.  It was quick, slick and targeted normal folks just trying to buy groceries.

The highly developed social structure of the underground includes:

  • Coders/programmers: write the malware
  • Techies: develop the way in
  • Hackers: actually break in
  • Vendors: sell the kits and products (true capitalist diversification)
  • Fraudsters: English speakers who write phishing e-mails or may even do calls.
  • Carders: make the fake cards and machines to do so
  • Cashers: convert the data to cash
  • Money mules/Reshippers: the bad guys move the money to them, and they send it on.  They do the same with merchandise
  • Tellers: convert money to other currency

There are Carding Forums where the underground sells info, credit card data and other criminal assets. They have websites, tech support organizations, entire structures to ensure they squeeze as much profit out of the enterprise as possible. They are now expanding their targets to include targeting Medical Personal Info, Electronic Health Records (EHR), etc. These are used to blackmail people, to perpetrate insurance fraud and to extort insurance companies. The target for this sort of information theft is individuals, hospitals, HR Departments, Government Offices and insurance companies. As we move toward greater use of EHR’s, we can only expect this to grow.

Social networking sites are also huge target areas for the bad guys. They use the ever-growing popularity of the sites (millions of participants) as vehicles for spam, to post fake adverts to launch malware, to harvest personal data to build a profile and figure out answers to “change your password questions.” These are subsequently used to hack you and go after all your friends next.

The really dangerous enemies use what is now referred to as the Advanced Persistent Threat (APT). This is a high level, extremely sophisticated class of threat that for now seems to be confined to nation-state intelligence organizations. How long it will remain in that area is unknown. These threats place long term leave behinds in order to steal information – IP, National security secrets, and other valuable info (they are after personal data). Their methodology is as follows:

  • Recon and find the vulnerabilities;
  • Execute the network intrusion;
  • Obtain user credentials (they work this until they can get administrator level);
  • Establish backdoors to enable multiple return capabilities;
  • Install multiple utilities;
  • Data Extraction is their goal, for the long term, but may also include potentially damaging booby traps for future use; and
  • Resilience (They will actually “clean up” the network of other maleware to ensure theirs works well).

APT’s will target the government and military, cleared Defense contractors, and lucrative Private Industry concerns (pharmaceutical, energy, high tech).

In short, this problem must be addressed, and it must be now. The bad guys are getting better at this, and law enforcement needs help. This is no longer a purely “criminal” activity but quickly shades into national security. There must be more cooperation, and it must be soon.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More
  • Mayurkumar Sosa

    The term ‘cyber crime’ is a misnomer. This term has nowhere been defined in any statute /Act passed or enacted by the Indian Parliament. The concept of cyber crime is not radically different from the concept of conventional crime. Both include conduct whether act or omission, which cause breach of rules of law and counterbalanced by the sanction of the state.

    Before evaluating the concept of cyber crime it is obvious that the concept of conventional crime be discussed and the points of similarity and deviance between both these forms may be discussed.

    Cyber crime is the latest and perhaps the most complicated problem in the cyber world. “Cyber crime may be said to be those species, of which, genus is the conventional crime, and where either the computer is an object or subject of the conduct constituting crime” (13). “Any criminal activity that uses a computer either as an instrumentality, target or a means for perpetuating further crimes comes within the ambit of cyber crime”(12)

    A generalized definition of cyber crime may be “ unlawful acts wherein the computer is either a tool or target or both”(3) The computer may be used as a tool in the following kinds of activity- financial crimes, sale of illegal articles, pornography, online gambling, intellectual property crime, e-mail spoofing, forgery, cyber defamation, cyber stalking. The computer may however be target for unlawful acts in the following cases- unauthorized access to computer/ computer system/ computer networks, theft of information contained in the electronic form, e-mail bombing, data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web jacking, theft of computer system, physically damaging the computer system.

    Mayur Sosa
    Diploma in Cyber Security & Post Graduate in IT

  • Sharon Smith

    I ss cyber thrft as a control device used under the guise of homeland security. As a ordinary citizen it is easy for me to say this but as as a racially profiled ethnic group it is vital for the freedoms guareenteed all Americans. I see an African American man as the President of the US yet racial discrimination is on the rise, there is a caste system developing in America, racial groups are being divided more than just socio-economic classes. I went to college and have a degree but with Obama in office that's not good enough you must have a degree from a major university to be taken seriously in America. How does this effect cyber crime well it does not being from a major education community says that your thoughts, dreams, aspirations are not for you to articulate but instead be profiled under a veil of higher university cyber thieves. They include former presidents, senators, ministers and many others who parcel out the intellect of the lower caste, because who can they think better that a person who graduates from Princeton or Yale. When 9/11 occured the safety of the nation was the priority and all types of list were compiled by the government it turned out to become one personal vendetta after another. Can these same list statred from 9/11 be the catalyst for this new cyber theft wave that we are now in? I think that it is and will morph into something more strange as time goes on.