The Truth about Cyber Crime, As Told by Eset
October is National Cyber Security Awareness Month and naturally the topic of cyber security is on our mind, especially since we’ve seen a new rogue security software application in the wild that’s called just that: Cyber Security. We here at FindMySoft contributed to the whole raise awareness thing via these articles:
How to Keep Your Computer Protected and Secure
How to Recognize Spyware Infection Signs
How to Keep Your Password Safe and Protected
And we continue to spread the word with the aid of Eset’s Director of Malware Inteligence, David Harley, who answers a few questions about cyber crime.
Brazil and eastern Europe seem to be particularly associated with ID theft and phishing (and mule recruitment for moneylaundering). The Far East too, but China also seems to be cited as a hotbed of industrial and military espionage, though the amount of military involvement is moot. West Africa remains well-represented on advance fee fraud (419s, certain kinds of job scams, lottery scams). Stock fraud and some forms of spam are commonly perceived as originating in the US. But any state with reasonable connectivity can originate or relay threats. A lot of the actual code seems to comes out of S. Asia.
Cybercrime is already very organized on business models analogous to legit models. There are still amateurs and lone operators but they’re more profit-driven now and often offer freelance services on the same lines as the more "professional" cybercriminals.
There’s a lot of specialization: coders, kit providers, moneylaunderers, botherders, cardfraud specialists. Much of it is negotiation between freelancers but cooperation often mirrors (roughly) free economy models. In general the top tier "service provider" either rents access to a botnet to a "customer" or manages attack services for them in return for fee.
Do the programmers that come up with malware really earn so much that they find this life appealing? One would assume that if they come up with these malicious programs they surely have a high standard of education and tons of technical knowledge. So why wouldn’t they go for a legit programming job?
A lot of code is actually workmanlike rather than sophisticated but that’s often enough. Most of the R&D goes on detection evasion. That and the problem of sheer sample glut are enough to keep a gang under the radar much of the time. Some social engineering attacks are creative, but many are actually very stereotypical. Much of the problem is a failure in educating victims, not technical brilliance on the part of criminals.
As for motivation, education hasn’t eradicated sociopathy in Western culture and some other cultures and economies almost enforce what we see as criminal behaviour. On the other hand, even in the West many people find it hard to extrapolate ethical norms to an online context.
Yes, a lot of money is being made, but most people are getting a thin slice of the salami. In many cases they don’t discriminate between ‘good’ and ‘bad’ behaviour even if they realize that participating in click fraud or being a money mule hurts others because they can’t afford to… Sometimes or often there’s an element of duress.
Maybe I should expand on that in-joke about salami: salami-slicing is a name sometimes given to fraudulent activities where tiny sums are misappropriated from many people rather than large sums from a few people (or organizations). The term goes way-back, but the approach is often used by banking Trojans.
Malware is sinister by definition but today’s threats tend to do more damage to the victim’s financial and general wellbeing. Older threats usually compromised (or, more rarely damaged) systems rather than people’s offline health and wealth. They probably hurt corporates more dramatically than individuals – not that it isn’t grim to have your hard-disk trashed, but there are collateral forms of damage such as loss of reputation and legal complications that were less likely to affect home users than corporate organizations.
There’s a trend these days to threats that also compromise national security: overstated right now maybe but definitely a trend upwards.
Less a matter of perception than resources. Local law-enforcement tends to manage "traditional" crimes better than cyber-crime, and more centralized, specialized units are under-resourced for the size of the problem and concentrate on crimes entailing massive financial damage. Local forces tend to use different performance metrics.
Law enforcement agencies are limited in resources and expertise, as well as mandate. More attention from LEAs (Law Enforcement Agencies) to one area impacts negatively on others. However, cooperation with other groups (vendors, security services, other researchers) fills some of those gaps.
Many attacks that affect governments aren’t targeted. Spear phishing, where an individual -is- targeted, sometimes originates with the military or espionage services rather than terrorist groups, though sometimes the distinction is fuzzy. I’d say that out-and-out terrorism is more often associated with other kinds of disruptive attacks such as website defacement and denial of service, though any group might try to steal credentials with malware or by social engineering, in order to effect an attack. However, terrorism-related spear phishing and other cyber-attacks are likely to rise rather than diminish.
There has been some speculation going around that states rather than individuals are behind some malicious attacks. Is this true? Could malicious software applications someday become part of a military’s arsenal?
The military have been looking at cyberwarfare for many years. It’s not possible to say authoritatively how often it’s been used offensively. For instance, the "Iraqi Printer Virus" of the first Iraqi offensive is usually assumed to be a hoax, but I’ve been told by surprisingly authoritative sources that there is some truth in it. (But not how much!)
Many of the attacks that are ascribed to states attacking other states are certainly actions by individuals or informal groups.
I’d expect more professionalization with regard to quasi-terrorism. More cybercriminals will masquerade as legit businesses, as happens now with fake security software. Attack technology tends to be somewhat cyclic, so we tend to see new twists on old scams. The most effective threat is still social engineering, and I don’t see that changing. Major shifts in the threatscape like the diminishing proportion of worms and viruses occur quite slowly, and old techniques are often revived.
How to Keep Your Computer Protected and Secure
How to Recognize Spyware Infection Signs
How to Keep Your Password Safe and Protected
And we continue to spread the word with the aid of Eset’s Director of Malware Inteligence, David Harley, who answers a few questions about cyber crime.
- Are certain types of threats more widespread in particular geographical areas?
Brazil and eastern Europe seem to be particularly associated with ID theft and phishing (and mule recruitment for moneylaundering). The Far East too, but China also seems to be cited as a hotbed of industrial and military espionage, though the amount of military involvement is moot. West Africa remains well-represented on advance fee fraud (419s, certain kinds of job scams, lottery scams). Stock fraud and some forms of spam are commonly perceived as originating in the US. But any state with reasonable connectivity can originate or relay threats. A lot of the actual code seems to comes out of S. Asia.
- Are cyber criminals lone operators, or is cyber crime an organized thing?
Cybercrime is already very organized on business models analogous to legit models. There are still amateurs and lone operators but they’re more profit-driven now and often offer freelance services on the same lines as the more "professional" cybercriminals.
- It is said that most of the malware in the wild is created by and underground economy. How is it organized?
There’s a lot of specialization: coders, kit providers, moneylaunderers, botherders, cardfraud specialists. Much of it is negotiation between freelancers but cooperation often mirrors (roughly) free economy models. In general the top tier "service provider" either rents access to a botnet to a "customer" or manages attack services for them in return for fee.
Do the programmers that come up with malware really earn so much that they find this life appealing? One would assume that if they come up with these malicious programs they surely have a high standard of education and tons of technical knowledge. So why wouldn’t they go for a legit programming job?
A lot of code is actually workmanlike rather than sophisticated but that’s often enough. Most of the R&D goes on detection evasion. That and the problem of sheer sample glut are enough to keep a gang under the radar much of the time. Some social engineering attacks are creative, but many are actually very stereotypical. Much of the problem is a failure in educating victims, not technical brilliance on the part of criminals.
As for motivation, education hasn’t eradicated sociopathy in Western culture and some other cultures and economies almost enforce what we see as criminal behaviour. On the other hand, even in the West many people find it hard to extrapolate ethical norms to an online context.
Yes, a lot of money is being made, but most people are getting a thin slice of the salami. In many cases they don’t discriminate between ‘good’ and ‘bad’ behaviour even if they realize that participating in click fraud or being a money mule hurts others because they can’t afford to… Sometimes or often there’s an element of duress.
Maybe I should expand on that in-joke about salami: salami-slicing is a name sometimes given to fraudulent activities where tiny sums are misappropriated from many people rather than large sums from a few people (or organizations). The term goes way-back, but the approach is often used by banking Trojans.
- Is malware becoming more sinister over time?
Malware is sinister by definition but today’s threats tend to do more damage to the victim’s financial and general wellbeing. Older threats usually compromised (or, more rarely damaged) systems rather than people’s offline health and wealth. They probably hurt corporates more dramatically than individuals – not that it isn’t grim to have your hard-disk trashed, but there are collateral forms of damage such as loss of reputation and legal complications that were less likely to affect home users than corporate organizations.
There’s a trend these days to threats that also compromise national security: overstated right now maybe but definitely a trend upwards.
- Are the authorities taking cyber crime seriously? An actual mugging is not that different from banking theft, now is it?
Less a matter of perception than resources. Local law-enforcement tends to manage "traditional" crimes better than cyber-crime, and more centralized, specialized units are under-resourced for the size of the problem and concentrate on crimes entailing massive financial damage. Local forces tend to use different performance metrics.
- Does the Interpol for example, or any other similar organizations, need to do more to fight cyber crime?
Law enforcement agencies are limited in resources and expertise, as well as mandate. More attention from LEAs (Law Enforcement Agencies) to one area impacts negatively on others. However, cooperation with other groups (vendors, security services, other researchers) fills some of those gaps.
- With reports of malicious software hitting governments, can we talk about a cyber terrorism problem or an increasing cyber terrorism problem?
Many attacks that affect governments aren’t targeted. Spear phishing, where an individual -is- targeted, sometimes originates with the military or espionage services rather than terrorist groups, though sometimes the distinction is fuzzy. I’d say that out-and-out terrorism is more often associated with other kinds of disruptive attacks such as website defacement and denial of service, though any group might try to steal credentials with malware or by social engineering, in order to effect an attack. However, terrorism-related spear phishing and other cyber-attacks are likely to rise rather than diminish.
There has been some speculation going around that states rather than individuals are behind some malicious attacks. Is this true? Could malicious software applications someday become part of a military’s arsenal?
The military have been looking at cyberwarfare for many years. It’s not possible to say authoritatively how often it’s been used offensively. For instance, the "Iraqi Printer Virus" of the first Iraqi offensive is usually assumed to be a hoax, but I’ve been told by surprisingly authoritative sources that there is some truth in it. (But not how much!)
Many of the attacks that are ascribed to states attacking other states are certainly actions by individuals or informal groups.
- What threats do you see popping up in the future?
I’d expect more professionalization with regard to quasi-terrorism. More cybercriminals will masquerade as legit businesses, as happens now with fake security software. Attack technology tends to be somewhat cyclic, so we tend to see new twists on old scams. The most effective threat is still social engineering, and I don’t see that changing. Major shifts in the threatscape like the diminishing proportion of worms and viruses occur quite slowly, and old techniques are often revived.
