A recent presentation by Special Agent Johnny Starrunner of the FBI at the NYS Cyber Conference in Albany was enlightening and frightening. To be honest, I have heard most of it before, but getting it all at once, from a front line guy fighting this war, drove it home. If we do not get hold of this threat, we are in deep trouble.
Cyber Crime comes in lots of flavors. It is diverse, sophisticated and expanding everyday. It includes Internet fraud, online banking fraud, a highly developed cyber underground, a growing number of targeted areas, and the “advanced persistent threat,” a term that until recently was classified.
It is almost impossible to accurately determine the “cost” of cyber crime. It is not just the dollars that must now be listed as losses but goes much wider. Reputations tarnished or destroyed are difficult to price. Additionally, many times we are dealing with unreported or under reported events. To give you at least an order of magnitude idea, the very conservative cost we know for the staggering 336,000 reported complaints in 2009 was $559.7 million – nearly double the numbers recorded in 2008. This does not include the loss of “pure” intellectual property, which is difficult to value accurately. Add that in and the numbers skyrocket.
Internet fraud (IF) is the best known form of cyber crime; it includes scams of all sorts. These have been tied to recent disasters (Haiti, tornados, the Gulf spill), electronic income taxes (give us your info, we’ll file for you), stimulus check collection and on line auctions – nearly anything that might convince the unwary to reveal personal information to the scammers. Many of these are crude but many are highly sophisticated and polished. Cyber criminals sometimes blast it out to anyone and everyone, but often, they are highly targeted and specific. The profit is potentially so big that the bad guys are highly motivated.
Online Banking Fraud (OBF) is more specific and aimed at bigger fish. These may start with attempts to steal individual information, but they are really desirous of stealing credentials, the higher the better, through malware or scams. They then use them for transactions all under $10,000 to keep it under the radar. They sometimes make false cards or simply do electronic transactions directly with the data. They can raise credit limits (it seems to be easier for them to do than for legitimate customers!), and then begin to transfer funds to “money mules.” These are individuals who work from home in online jobs. These folks then send the money on to overseas recipients. The main methods used to place malware for this sort of crime are the ZeuS Trojan, Clampi, and Bugat Trojan, according to Starrunner.
The Cyber Underground began as a completely decentralized activity but now operates like a corporation; it is transnational, very efficient and very evolved. They have huge numbers of the most talented cyber practitioners in the world working for them everyday. The compensation is lucrative, and the crime is relatively safe. They also reach out to unskilled folks and recruit them into the market. They use them for various low-level tasks, and test them to see if they have skills worth developing.
The underground is agile and adaptable. They move fast, and once a vulnerability is identified, within days they can pull off huge operations. They find an opening, develop the exploit that will allow them to grab as much useful data as possible in a short period, emplace it, and use it to extract the information they need. They use this to makes false cards, often with elevated account limits, then use them to pull lots of money out in near simultaneous transactions in multiple cities (and/or countries) using mules world wide. The last step in the operation is for the mules to send on the profits (minus their agreed upon commission) to the underground.
Another speaker at the NYS Cyber Conference described an operation where the bad guys replaced the self check out machines in 67 stores of a major supermarket chain, and for weeks harvested all credit card data from customers who used the machines. There were five to seven machines in each store, times 67, times “weeks” – you do the math. It was quick, slick and targeted normal folks just trying to buy groceries.
The highly developed social structure of the underground includes:
- Coders/programmers: write the malware
- Techies: develop the way in
- Hackers: actually break in
- Vendors: sell the kits and products (true capitalist diversification)
- Fraudsters: English speakers who write phishing e-mails or may even do calls.
- Carders: make the fake cards and machines to do so
- Cashers: convert the data to cash
- Money mules/Reshippers: the bad guys move the money to them, and they send it on. They do the same with merchandise
- Tellers: convert money to other currency
There are Carding Forums where the underground sells info, credit card data and other criminal assets. They have websites, tech support organizations, entire structures to ensure they squeeze as much profit out of the enterprise as possible. They are now expanding their targets to include targeting Medical Personal Info, Electronic Health Records (EHR), etc. These are used to blackmail people, to perpetrate insurance fraud and to extort insurance companies. The target for this sort of information theft is individuals, hospitals, HR Departments, Government Offices and insurance companies. As we move toward greater use of EHR’s, we can only expect this to grow.
Social networking sites are also huge target areas for the bad guys. They use the ever-growing popularity of the sites (millions of participants) as vehicles for spam, to post fake adverts to launch malware, to harvest personal data to build a profile and figure out answers to “change your password questions.” These are subsequently used to hack you and go after all your friends next.
The really dangerous enemies use what is now referred to as the Advanced Persistent Threat (APT). This is a high level, extremely sophisticated class of threat that for now seems to be confined to nation-state intelligence organizations. How long it will remain in that area is unknown. These threats place long term leave behinds in order to steal information – IP, National security secrets, and other valuable info (they are after personal data). Their methodology is as follows:
- Recon and find the vulnerabilities;
- Execute the network intrusion;
- Obtain user credentials (they work this until they can get administrator level);
- Establish backdoors to enable multiple return capabilities;
- Install multiple utilities;
- Data Extraction is their goal, for the long term, but may also include potentially damaging booby traps for future use; and
- Resilience (They will actually “clean up” the network of other maleware to ensure theirs works well).
APT’s will target the government and military, cleared Defense contractors, and lucrative Private Industry concerns (pharmaceutical, energy, high tech).
In short, this problem must be addressed, and it must be now. The bad guys are getting better at this, and law enforcement needs help. This is no longer a purely “criminal” activity but quickly shades into national security. There must be more cooperation, and it must be soon.