Cybercrime gangsDate: June 04, 2007
That’s the good news. The bad news is, as India becomes more of a global powerhouse, it also becomes more of a target to cyber thieves, hackers and organized Internet gangs.
The Indian Computer Emergency Response Team (CERT-IN) reported that the number of defaced websites in India has gone up dramatically. Both government and corporate website defacements are on the increase, with 430 websites being hit during December 2006 alone. About 25 percent of these attacks were from the LORD defacer group, a Turkish group that defaces websites and leaves messages on the defaced site. Groups like this seek not only to praise themselves, but also to disseminate political or religious messages. It has become such a major problem that the Ministry of Home Affairs declared in December that all ministries and departments should host their sites only on central government and state government-owned servers.
These are simple attacks that can be easily prevented, and bringing hosting in-house is a good first step. With direct control over the web environment, organizations can impose a stricter access policy and a firewall based on unified threat management (UTM) technology, and IT security officers can keep close tabs on what’s going on in the network. But while defacements are a problem for Indian websites, it would be a grievous mistake to think that they represent the biggest or most dangerous problem. The notorious Nyxem virus for example, although actual damages were minimal, found the highest level of infection in India. Outside of defacements, other cyber intrusions in India consisted of phishing, unauthorized scanning, and virus/worm attacks, with CERT-IN’s December totals showing 67 percent being attributed to phishing, 22 percent to unauthorized scanning and 11 percent to virus/worm attacks.
In fact, the greatest cybercrime problem worldwide is not common hacking or defacements, despite the embarrassment they may bring, but attacks that are economically-based. Cybercrime has become a big business. Today, most hackers have no political axe to grind, they do not seek glory from the hacker community, and they have neither religious agenda nor extremist philosophy. They are in it for the money.
The malware economy
The spread of malware is driven by the very real prospect of economic gain, and as attackers gain more success, the malware economy becomes self-perpetuating. Spammers, phishers, and other cyber criminals are becoming wealthier, and therefore have more financial power behind them to create larger engines of destruction. Hacking is no longer the domain of the single, lonely character sitting in his parents’ basement—it is a big business, often led by wealthy individuals, with multiple employees and large bankrolls of illicit cash. And what’s worse is that not only is the frequency and sophistication of the attacks increasing, the amount of damage is increasing as well. A Gartner Group report showed 2006 profits from phishing scams rose over 400 percent, from $257 per victim to $1,244 per victim.
Despite widespread attempts at education and reports in the press, these attacks continue to be incredibly profitable. They play on greed and sympathy, and target everyone—not just the uninitiated. In the United States, the new year opened up with a report out of Michigan, where a county treasurer (who presumably should have known better) fell for a Nigerian ‘419’ e-mail scam, and embezzled over $1 million in county funds to send to Nigerian fraudsters overseas. Also in January, a Nigerian man associated with a cyberfraud ring was arrested in Holland with 1.2 million in his pocket.
As the cybercrime industry grows and becomes more organized, it also becomes easier for attackers to execute attacks. It is now possible to buy and sell malware in an underground marketplace. Some of the most successful cybercriminals today are not even the ones who perpetrate attacks directly, but those who provide the infrastructure, by creating illicit botnets, phishing kits, and other attack components and selling them to others.
The nature of converged attacks
Modern attacks are no longer limited to a single vector. There is an increasing level of malware convergence, with attacks now combining spam, phishing, viruses, and directory harvest attacks designed to yield the greatest level of profitability to the attacker. In addition, today’s attacks are often a series of waves each with each wave having a specific purpose. A simple attack will start with a Directory Harvest Attack wave to build up a list of valid e-mail addresses. This is followed by virus laden e-mails whose payload makes a user’s system part of a botnet. The machines in a botnet are used to disseminate phishing emails which produce the monetary return for the attack.
In recent months, there has been an increase in phishing attacks that target account-holders of major national banks. These attacks start with e-mail, which appear as if they are coming from a legitimate banking source, and lure users to click on a false website URL where the victims are tricked into revealing their login information. Some may even combine phishing with an embedded intelligent keylogger, which watches keystrokes to determine when a user attempts to visit a legitimate banking website, and then replaces that legitimate URL with a duplicate URL that is connected to the attacker’s server.
Solving the problem
We tend to think in terms of security silos, with individual solutions targeting specific attack vectors. Unfortunately, this view is inadequate, and there is no single ‘silver bullet’ that can make your network secure. On the contrary, the solution must come from multiple areas, multiple tools, and multiple people throughout the organization. Solving the corporate security dilemma requires a dynamic and multi-layered approach that is not a single solution, but rather, the coordinated interaction of multiple solutions.
The first four layers are technological solutions, and include a comprehensive system for protecting your e-mail system, a firewall, a content filtering system, and secure remote connectivity. Remote machines, whether they are an individual employee’s home laptop, or a client site halfway around the world, pose a great danger simply because you have less control over their configuration—establishing a secure connection through an SSL-VPN can overcome these challenges posed by remote connections.
The fifth and sixth layers are not technological, but legislative and behavioral. Information technology has connected the world to an unprecedented level, and India’s continued global success depends on the continued interconnection of India and the rest of the world in terms of economy, information, and most importantly, technological infrastructure.
The author is President and CEO of SonicWall Inc
Add comment Email to a Friend