The Explosion of Cybercrime
Cybercrime is broadly defined as any crime involving a computer or a network. In the last decade, the amount of cybercrime has grown substantially resulting in significant losses to businesses, and lining the pockets of criminals. This article presents some information about some of the common cybercrime activities and it helps emphasize the value of IT security for any organization.
It also helps to emphasize the value organizations place on employees with IT security awareness. The (ISC)2 CISSP has become one of the top IT security certifications and many organizations seek employees with this certification for both IT jobs and managerial positions. Lower level security certifications such as CompTIA’s Security+ and the (ISC)2 SSCP are also valued by organizations. For example, the U.S. Department of Defense requires anyone with an administrative account to have at least a Security+ certification.
In high-crime areas, extortionists have demanded payments from businesses for “protection.” If the businesses refused, the business was attacked, robbed, employees harassed, and in extreme cases, the business was burned. Of course, the extortionists actually attacked the businesses when the protection money wasn’t paid.
Extortion has made it to the cyber community. Attackers use distributed denial of service (DDoS) attacks to show they can cripple Websites and corporate networks. They then demand protection payments to stop the attacks. Ron Lepofsky wrote in 2006 that the U.S. and FBI receive at least 20 new cases of cyber extortion a month. Blackmailers use various types of denial of service attacks to cripple Websites and corporate networks. They then demand protection payments to restore the service. Extortionists have demanded ransoms of more than 1 million dollars to stop the attacks. Some companies quietly pay. Others attempt to fight back.
A smaller form of cyber extortion is in the form of rogueware, or fake antivirus software. A user visits a Website and sees a popup indicating their system is infected, and encouraging them to download free software to clean their system. After the user downloads and installs the software, the rogueware reports several serious infections, but then states that the free version only scans the system, but won’t clean it. If they want to clean their system, they must pay between $49.95 and $79.95 for the full version. PandaLabs reported in 2008 that criminals were extorting approximately $34 million dollars a month from unsuspecting users. While this is bad enough in itself, the rogueware provides zero protection against actual malware, leaving the user with a false sense of security.
Additionally, many rogueware criminals include additional malware in the rogueware. For example, an added keystroke logger can capture a user’s keystrokes (such as capturing passwords for online banking accounts) and periodically send the data to the criminal. Many versions also include software to convert the computer into a zombie as part of a botnet.
Botnets have grown to astronomical proportions over the past few years, and despite some successes, they’re still stealing money from people every day. As an example, NBC reported in 2004 how a small business in Miami was attacked. Specifically, their computer was infected with the CoreFlood virus (used in the COREFLOOD botnet) and someone transferred $90K out of their Bank of America account without their authorization to a bank in Latvia. Before this, the COREFLOOD botnet was primarily known for DDoS attacks.
Other losses from the COREFLOOD botnet include $115K from a real estate company in Michigan, $78K from a law firm in South Carolina, $151K from an investment company in North Carolina. The list goes on and on. Don’t think they’re only attacking businesses though. It’s just that when an individual’s $1,000 in savings is stolen, it isn’t as newsworthy as a loss of tens of thousands of dollars. Still, the loss of $1,000 by an individual can be devastating.
Interestingly, a report in June 2008 by Joe Stewart (Director of Malware Research, Dell SecureWorks) showed this same botnet was still in operation and the bot herders had shifted their activities from DDoS attacks, to full-fledged bank fraud. After all, they found they could get quick paydays with much less effort. At that time, they had infected over 378,000 computers and had at least one database with over 50 Gigabytes of data on hapless users around the world. The botnet had captured keystrokes and recorded bank passwords, credit card data, email passwords, social network passwords, and more.
As of February 2010, this botnet had grown to over 2.3 million infected computers with 1.8 million of the computers in the United States. Thankfully, the U. S. Department of Justice took several steps in April 2011 to take over the botnet’s command and control servers and may have succeeded in shutting this botnet down. We’ll see.
The point is botnets are thriving. Even though experts are shutting down some of the large botnets, it’s like a game of whack-a-mole. They keep popping up. In years past, malware was used to cause damage to systems such as corrupting a hard drive or system files. Today, malware is a tool often used by criminals to steal identities and hard cash from regular people just like you and me.
Malware is increasingly difficult to detect, mostly because attackers are constantly developing new methods and strategies. One common method used today is polymorphism. Malicious code within a single virus can be run through a mutation engine to create thousands of different versions of the same virus. While one version may be detected by a malware detection signature, thousands of other mutations may get past this signature until another signature is developed to detect the mutated versions.
At one point, it was recommended that you update your antivirus definitions on a weekly basis. Some experts now suggest you update it hourly. Malware vendors are constantly working on detecting new variants, updating signature files, and publishing them.
It’s also worth noting that all antivirus (AV) software is not created equal. Virus Bulletin publishes a monthly report on the effectiveness of AV products that is quite enlightening. You may think that malware products can consistently detect close to 100 percent of malware in the wild, but that is not the case. For example, this graph shows a wide scattering of products in the 60 percent to 80 percent effectiveness ranges. This equates to a grade somewhere between a B and a D. For me, I don’t want the D student protecting my bank accounts and identity.
It’s also worth pointing out that criminals have discovered the power of malware when used effectively for criminal activities. While malware was previously used to take down systems or networks just for the fun of it, criminals don’t do that today. Instead, criminals use malware to enlist zombies into their huge botnets. These zombies then engage in activities allowing the criminals to steal money from people and organizations on a grand scale.
Zero Day Vulnerabilities
Zero day vulnerabilities are those that are known to attackers, but either not known to the vendor, or the vendor has not developed and released a fix yet. While this implies that a zero day vulnerability lasts only a single day, it can actually last months before a fix is written, tested, and released.
In other words, even if you are taking steps such as keeping a system up-to-date, running AV software, and regularly updating signature files, you are still at risk from zero day vulnerabilities. Defense-in-depth procedures within an organization include a variety of other security practices to protect systems and networks to help protect them from zero day vulnerabilities.
Cybersource publishes an annual fraud report on online fraud. Online fraud is fraud occurring through the Internet, such as charges on stolen credit cards, and chargebacks required by a credit card’s issuing bank. In the 2011 Online Fraud Report, Cybersource reported that losses from online fraud was about 2.7 billion dollars in 2010.
The good news is that online fraud appears to be declining. Online revenue losses due to fraud were estimated at 3.3 billion in 2009 and a peak of 4 billion in 2008. While this may look like criminals are trying less, that’s not actually the case. Instead online retailers have dedicated more and more resources to blocking cybercrime and are enjoying some success. That is if you want to call an annual loss of 2.7 billion dollars a success.
If you’re studying IT security certifications (such as CompTIA Security+, or the (ISC)2 SSCP or CISSP), expect your skills and your knowledge to be in high demand. Organizations using computers, and especially organizations with an online presence, are recognizing the risks to IT systems and networks. More and more organizations value individuals that understand these risks.