How cyber-crime became a multi-billion-pound industry
Edie G. Lush says it has becoming increasingly difficult to protect personal and corporate financial data against sophisticated online fraudsters and extortionists magine you're the finance director of a quoted financial services company.
You receive an anonymous invitation to a 'Party of a Lifetime' in the form of a USB memory stick. Hopeful of some welcome distraction, you plug it into your office computer. But unbeknown to you, the stick has been sent by a criminal gang seeking a way into your company's IT system. The stick searches your directories, sends private files to the gang, inserts a leylogger program' which records your keystrokes and passwords, and sets up a way for the gang to attack your network. Farfetched? No, it isn't.
Earlier this year 500 UK finance directors received memory sticks in this way and 47 per cent of them ran the application contained in it. Fortunately for them, the sticks had been sent by IT Security group NCC as part of a security awareness campaign. According to NCC, a hacker could have gained access to the directors' email systems and personal details, and to unreleased trading statements which could have been used as a basis for insider share dealing.
Online crime has become a multi-billionpound business. It isn't just companies who have something to fear: anyone with an internet connection is vulnerable to identity theft and financial loss in our interconnected world. Spend an hour with a computer security professional and you may want to resort to pen and ink for all future communication. The size of the footprint you leave online is growing ever larger. It's incredibly easy to find out who works at a company, what they do, whom they're connected to on MySpace. A hacker can use this knowledge to many evil ends,' says Information Risk Management's Chief Technology Officer Phil Huggins Huggins says the world of computer security has been transformed from geeky teenagers playing War Games to a global industry run by organised gangs. Jason Greenwood of VeriSign Intelligence Services, divides online crime into three main types: `phishing', 'maiware', and corporate attacks.
Phishing emails try to manipulate recipients into clicking on links which direct them to websites where they will divulge confidential information or unwittingly upload malicious software (malware) that will steal data. (Why the annoying use of 'ph'? The formulation is probably linked to hacker jargon: `phreaks' were early hackers who broke into telephone systems.) According to a report by the AntiPhishing Working Group, the number of unique phishing websites surpassed 55,000 in April 2007, a fivefold increase from a year ago; 174 different brands were targeted, mainly financial institutions in Europe, the US and Canada. Social networking groups and web email providers were also hit.
Why would anyone fall for such a ruse? Simon Church of VeriSign says the criminals have become incredibly sophisticated. Their emails and websites look identical to real correspondence from your bank or from familiar websites such as eBay or Paypal. 'Trust is also a part of it,' he says. 'People want to respond quickly to an email from their bank — especially if it says urgent action is required.'
One recent scam lured 1,400 US executives to a website purporting to be the Better Business Bureau, a US corporate watchdog. The email, addressed by name, invited the recipient to review a copy of a recently filed customer complaint, by clicking on a link. If they did so using Internet Explorer, they unwittingly installed a 'Trojan' (after Trojan horse) virus that sent sensitive data to the attackers. The cache of data retrieved after the con was discovered contained bank and credit card numbers, passwords, online payment accounts and home addresses. Security expert Marc Rogers describes another Trojan called MetaFisher which rewrote bank websites: 'As you connected to your bank's website and it asked for two characters from your log-in, MetaFisher rewrote it to ask for all eight. The criminals got your password and the bank let you into its website.'
Malevolent websites are multiplying by the day. A study by Google in May found 450,000 booby-trapped pages out of a sample of 4.5 million pages. A further 700,000 looked likely to be dangerous. Most of the websites exploit weaknesses in Microsoft's Internet Explorer browser: while some do annoying but harmless things like altering the start pages in your browser, increasingly common are sites that steal private details or turn your computer into a tot' — one which is remotely controlled by someone else. Bots can be used to harvest email addresses, send spam and conduct attacks on corporate websites.
IRM director David Cazalet says attacks on companies are much more common than you'd think. Companies are not obliged to tell us every time their security has been breached and `the last thing any company wants you to know is that they've been hacked'. A recent survey by database security firm Secerno found half of consumers said they'd take their custom elsewhere if they knew a company had lost their personal data. But the public is only informed when the violation is too big to hide. Cases that have made it into the public eye include Swedish bank Nordea, which lost 900,000 euros to phishers in the US and Russia. Between 2002 and 2006, cyber-crooks stole data from 457 million cards used by shoppers at TJ Maxx in the US. In 2005, the London offices of Sumitomo Mitsui nearly lost £220 million after a 'cleaner' installed a keylogger in one of its computers: the plot was discovered after one of the gang tried to transfer £14 million to an account in Israel.
Then there are the 'Denial of Service' (DoS) attacks, which use armies of `bots' — or 'zombies' — to flood company websites with fake data requests. The words conjure up images from Night of the Living Dead and the reality is the online equivalent of consuming a living person's flesh, as hundreds of thousands of 'zombies' attack a website until they've taken it offline — which can disable it for days and lose the company a fortune. Usually the attacks are accompanied by demands for money. Gambling and porn sites were among the first to get hit: reluctant to seek police help, they paid the ransom — often to accounts in Russia or Eastern Europe. Last month, the Telegraph website was taken down for several days by what Edward Roussel, digital editor of Telegraph Media Group, calls a 'particularly strong and pernicious DoS attack' that wasn't accompanied by a request for money. Why would anyone attack a newspaper's website? 'We're still investigating,' says Roussel. 'We're a news company with strong opinions and that has put us at odds with a number of people and governments.'
What are online conmen getting for their efforts? A cyber-extortionist can demand a very big pay-off to stop a DoS attack. Dataharvesting can be lucrative too. Jason Greenwood of VeriSign oversees a team that monitors web chatter about phishing attacks. 'The price goes up the more information is supplied: 100 standard unverified Amex accounts might be worth $10. Ten verified Amex gold cards with no credit limit could earn you $50. But if you're offering the name, social security number, spouse name, address, date of birth and mother's maiden name, you could earn $100 or more per stolen identity.'
Of course there are defences against hackers, and you'd be mad not to install anti-virus, anti-spyware and anti-spam software on your personal computer. Likewise, at a corporate level, companies have a fiduciary duty to ensure the security of their data and systems. But the fi-audsters' techniques are evolving faster than the public's knowledge of the risks, says Rogers. And the future looks even more terrifying. Simon Church of VeriSign says the online auction sites that criminals use to sell user details are just the beginning. He foresees one of the web's current favourites — `mashup' sites that puts together different databases — being turned to illicit use. 'Imagine if a hacker put together information he'd harvested from a travel company's database with Google Maps. He could provide a tech-savvy burglar with the driving directions of how to get to your empty house the minute you go on holiday.' I don't know about you, but that's enough to make me resort to carrier pigeons and cash.