Computer Crime Research Center


How cyber crime went professional

Date: August 13, 2008

A huge increase in internet crime is only part of the picture. The bigger worry for many organisations is that they are now being individually targeted by criminals using sophisticated technology. By Sarah Arnott

As Russian and Georgian soldiers were flinging explosive artillery shells at each other, both sides in the South Ossetia conflict were also exploiting the very latest in cyber aggression, using techniques honed by professional gangsters specialising in online crime.

Although the attacks are largely untraceable, both sides are pointing the finger firmly at each other. Russian reports claim that South Ossetian government sites were brought down by Georgian hackers. But Georgian institutions, including government departments and the National Bank, have also suffered a string of attacks. Georgia's foreign ministry is posting all news content to the Polish President's website after its own was taken out when President Mikheil Saakashvili's pages were replaced with pictures of Adolf Hitler. Meanwhile, reports also claim that Russia's RIA Novosti news agency site is being targeted and crashed.

Such tactics are not only political weapons. The start of the Beijing Olympics last week kicked off a slew of malicious internet activity. Some are relatively indiscriminate – using malicious software embedded in innocent websites, often of news organisations with audience numbers boosted by their sports coverage, which then infects the visitor's computer.

Some are more sophisticated. MessageLabs, a security company, detected a bogus email sent to at least 19 national sporting organisations that purported to be International Olympic Committee information on media plans for the Games, but was actually carrying a trojan which takes control of the PC and scans all files and networks to steal information.

Hacking, which was once the preserve of tech-savvy teenagers showing off, has turned into big business. By some estimates, organised crime represents up to 20 per cent of the global GDP, and cybercrime is the fastest-growing part of it. And as the perpetrators become more experienced, the attacks become more precise.

"There is an increase in targeted attacks on specific pieces of high-value information, whether that is directors of companies and their personal pension investments or attacking corporate networks to try to take intellectual property (IP) out of the organisation and move it to the developing world," said Chris Potter, a partner at the consultancy PricewaterhouseCoopers.

The term cybercrime covers a multitude of sins. Spam campaigns and infected web pages can be used to embed spyware into end users' computers – to monitor keystrokes and steal anything from single credit card details to a large chunk of corporate data.

Or they can be used to recruit the computer into a "botnet", a network of hijacked PCs that can be used either to launch more spam, or to participate in denial of service attacks (DoS) that target a website and bombard it with traffic until it crashes.

The cyberwarfare over South Ossetia is of this type. "The computer in Aunt Ethel's back bedroom may be right now playing a role in a cyber warfare campaign," explained Graham Cluley, a senior consultant at Sophos, a security company. "We don't know for certain it is Russia attacking Georgia and vice versa, or if the attacks are sanctioned by the military, but there is clearly disruption taking place as the governments take pot shots at each other."

As internet crime has become professionalised, it has spawned a shadow economy that could be worth as much as $105bn (55bn) every year.

Shadow economy: Just like the real world

* Malware is the software that drives all types of cyber attack, from high level espionage to basic theft. Off-the-shelf malware can cost from $50 (26) to $3,500, depending on the sophistication of its targeting, what kind of information it can grab, and what kind of security it can circumvent. You can also buy a service to monitor anti-virus developments and tweak your malware accordingly – charging $25 to $60 per month – or a premium service to make it undetectable.

* The next step is finding targets. A basic list of unqualified email addresses costs about 1/10th of a cent per address; a complete identity, including UK national insurance number, could set you back by $5 a piece. For a tailored solution – corporate executives within a certain geography or industry sector – expect to pay bespoke prices.

* The next step is to send the program out, using a "botnet" of thousands of innocent computers hijacked by hackers. Services can be bought piecemeal, costing about $10 for a million mails. Or the botnet can be rented and used for spamming, hacking, denial of service attacks, or anything else you might have in mind. One hour of a reasonable-sized network of 8,000 to 10,000 computers costs about $200.

* The most common aim is theft of credit card details. A successful attack might yield 100,000 numbers within a week. You can then either exploit them yourself, or sell the list on an online forum for 2 per cent to 5 per cent of the remaining balances. If the average card on your list has remaining credit of $1,000, each set of details is worth around $25 – bringing in $2m.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo