Doug’s Dynamic Drivel » Organized Crime and Extortion on the Web and You

January 14, 2008

It’s no secret that the web is a hive of criminal activity. From extortion to terrorism the net has provided an enormously useful organizational and action tool. For the most part it has been a way to easily hide from authorities. What is somewhat surprising is how little most people know about it. If you are the average person on the street you probably think that this is a recent phenomenon and that it probably doesn’t affect you. Nor would you grasp the scope of it. You would be wrong on all counts, even if you never or seldom use the net.

A little history to begin with

Right from the start of the modern telecommunications era there have been people taking advantage of new technology to get something that they are not entitled to. In the pre-Internet days you had phone phreaks like John T Draper, (A.K.A. Captain Crunch)hacking into the Bell telephone network and making free long distance calls by duplicating the digital tones using a whistle that came for free at the time in boxes of Captain Crunch cereal. This started a whole network hacking subculture that was primed and ready for the personal computer revolution when it started in the mid 70s with the invention of the first microprocessors.

The first networks that PC owners could connect to were university or corporate networks followed very quickly with dial up Bulletin Boards Services (BBS) networks such as FidoNet (early 80’s). BBS’s were essentially nothing more that store and forward file and email systems. A BBS operator would have their computer dial up another one at regular intervals and exchange data. Netmail, the precursor to email would eventually make its way around the world to its destination hopping from computer to computer on the same network (these networks had what is known as a star topology). This is when the criminal, or at least socially unacceptable, behavior really began. BBS users could upload files to a BBS that could then be downloaded by other users and pranksters started developing viruses that were inserted into those files and spread that way. At this point there was no financial incentive involved, nothing to be gained, except reputation, by the person who created the virus. Nevertheless these viruses created great havoc, financial and otherwise, on both personal and corporate systems, as people brought programs into work on infected floppy disks, or took work home with them that way and had the boot sector of the floppy infected as soon as they inserted it into their home computers, then returned that disk to work.

It was with the advent of the Internet, an offshoot of ARPANET, in the late 1970’s (see here for an excellent timeline) and the lifting of commercial restrictions by the NSF in 1991 that cybercrime got the network it needed to start taking off (this is when companies such as AOL and Compuserve began entering the market. Put your hand up if you had a Compuserve account in the early 90s or remember Archie, Gopher, Telnet, Mosaic). In 1991 there were just over 1,000 USENET newsgroups, by 1994 over 10,000 and the online scams were in full swing and SPAM was a fact of life.

So by now you should understand there is nothing new about cybercrime. However, what is new is the extent of it, and the organization of it.

Cybercrime in the 21st C.

The new century had hardly begun before the bad news started making it to the main stream media. In 2001 Business Week reported on an Eastern European ring that had stolen potentially millions of credit card numbers and the personal information attached to them

Until recently, cybercrime has largely been a sport for lone wolves or small groups with a taste for mischief and danger. Organized-crime groups largely left the Internet alone. Still, security experts worried that Net crime across borders would quickly proliferate. The reason: Low risk of apprehension and the potential for big rewards.

Now it appears those worries are finally starting to come true. On Mar. 8, the National Infrastructure Protection Commission (NIPC) — a federal watchdog that works with the FBI to protect the U.S. national infrastructure — took the unusual step of holding a press conference to warn businesses and the public about an ongoing investigation into what may be the largest case of organized crime online to date.

The NIPC alleges that in recent months, Eastern European hackers have infiltrated Web servers … grabbing at least 1 million credit-card numbers and other personal information from 40 U.S. financial institutions and companies. After lifting this data, the gang has allegedly attempted to extort money from their victims by threatening to post the info on the Internet…

And so it begins. Here, as identified at crime-research.org are some of the trends which even though several years old are every bit as relevant today as when written:

”Organized crime groups are using the Internet for major fraud and theft activities.” Focus on banking activities
”Organized crime involvement in what was once categorized as white-collar crime.” Pump and dump stock schemes typify this. SPAM emails are used to pump up the stock then it is dumped
”The growth of cyberextortion is a third significant trend. Extortion schemes are sometimes bungled, but they can be conducted anonymously and incur only modest risks, while still yielding high pay-offs.”
”The use of what were initially nuisance tools for more overtly criminal activities. Perhaps the most notable example of this occurred in late 2000 when a variation of a virus known as the Love Bug was used in an effort to gain access to account passwords in the Union Bank of Switzerland and at least two banks in the United States. Although this episode received little attention — and it is not entirely clear who the perpetrators were — it gives added credence to the theory that organized crime is developing relationships with technically skilled hackers.”
”Jurisdictional arbitrage. Cybercrimes — certainly when they are linked to organized crime — will increasingly be initiated from jurisdictions that have few if any laws directed against cybercrime and/or little capacity to enforce laws against cybercrime.” Most cybercrime today originates out of Russia, China, former SSR states, Brazil and Indonesia.
Money Laundering: If you can buy goods or services across the web then you have a perfect vehicle for laundering dirty money
”A seventh trend involves growing network connections between hackers or small-time criminals and organized crime.” This is pretty much de facto now. Very little hacking and virus/trojan writing and dissemination activity goes on now that is not controlled by organized crime or hostile governments (as in MI5’s recent accusations against China).
”Organized crime groups use the Internet for communications (usually encrypted) and for any other purposes when they see it as useful and profitable. Indeed, organized crime is proving as flexible and adaptable in its exploitation of cyber opportunities as it is in any other opportunities for illegal activity. The implications are far-reaching and require a response from government that is strategic, multi-level, multilateral, and transnational in nature”

How does it affect me?

As you can see, even in that old report above, organized crime is infiltrating every area of the net, and everyone who uses the net and even many who don’t are affected and paying the price for that criminal activity.

SPAM

Most SPAM can be sourced to organized crime or is enabled (through the sale of email lists or access to bulk email servers on friendly soil) by organized crime syndicates and currently SPAM comprises about 50% of all email traffic on the net. While email traffic is not the biggest use of bandwidth on the net (p2p, search engines and video sites like YouTube are) it still represents about 15 to 20% of the traffic and 50% of that share is SPAM. To put that in perspective somewhere between 5 and 10% of the cost of running the entire Internet is caused by SPAM and those costs are passed on to you by all the companies that provide access to the net in any form, be it your local ISP or the data center that hosts your corporate server.

Stolen Credit Cards

Ask someone on the street if they think it likely their credit card information is safe and they will likely tell you that it is because they don’t use it on the net. They would be wrong. Relatively few of the total number of compromised credit accounts have come from people entering their information on line. The vast amounts have come from corporate servers that have been hacked or stolen/lost laptops containing databases of such information, Wait, I hear you say, the servers were hacked over the net. Well yes but the information in those servers did not necessarily come from online purchases. If you go to a national retailer for example and purchase something in-store with your credit card, that information usually ends up in the same server as the person who purchases online. While the information may be stolen over the net it does not need to be entered over the net. In fact a substantial amount of corporate hacking takes place by disgruntled ex-employees and current employees, people intimately familiar with the network and its security, or lack thereof as noted in the 2006 CSI/FBI Computer Crime ans Security Survey

…nearly one third (32 percent) of respondents believe that insider threats account for none of their organization’s cyber losses. 29 percent of respondents attribute a percentage of losses greater than zero but less than 20 percent to actions of insiders. Hence, the remaining 39 percent of respondents attribute a percentage of their organization’s losses greater. than 20 percent to insiders. In fact, 7 percent of respondents thought that insiders account for more than 80 percent of their organization’s losses. To summarize, even though most respondents do not see insiders as accounting for most of their organization’s cyber losses, a significant number of respondents believe that insiders still account for a substantial portion of losses.

So you can see that if your information is stolen it’s not necessarily because you ordered something over the web.

Cyber Extortion

There are two primary forms of extortion going on via the net.

The first is stealing data and extorting money from a person or company in return for not selling that information to the highest bidder. This mostly affects companies now as there is so much stolen credit card and personal identity information out there that there is a thriving business selling it on the net.

The second way is to threaten a company with Distributed Denial of Service (DDoS) attacks by first attacking them briefly, putting their web presence completely off line as a result, then telling them to pay up or have their web business destroyed permanently.

A Denial of Service (DoS) attack is generally easy to defend against as it only comes from a single IP or at most a couple and they can be null-routed easily enough. A DDoS attack is another matter.

Because DDoS attacks originate from thousands, tens of thousands and even hundreds of thousands of compromised computers it is almost impossible to null route them unless the attack packets have a unique signature of some kind. That however usually only happens if the attacker is not trying to knock the site off line but instead is trying to overwhelm a particular service running on the server in order to take advantage of a known exploit to gain access to the server and exploit it. To simply bring down the server only requires that the vast army of zombie bots simply request a legitimate page on the server. If the botnet is big enough the server will not be able to keep up with the requests and the site will effectively go off line. Because there is no feature about the incoming packets, in this type of attack - they are legitimate requests for a real page to be served via port 80 - it is almost impossible for a hosting provider to defend against (it will depend on how well crafted the faked browser requests are.) Data Center operators seeing this kind of attack will generally protect their network by simply taking the attacked IPs off line themselves in order to protect the rest of their network (multi Gbps attacks are becoming more common and in even the best data centers that size of attack will affect other customers on the same network segments, or even the entire data center)

What’s needed?

Corporate

Companies operating on the web must take appropriate precautions. Networks must be secured and internal company IT policies must conform to good practices. One of those practices is limiting staff access to the minimum they need to do their job. Too many companies treat this policy as too much hassle and give users far too many privileges. Too often this leads to data theft.

Another thing companies that operate on the net need to do is develop a set of metrics for determining whether orders they receive are legitimate or not. It is not enough to put every order through and flag the ones that fail. By the time a compromised card fails it has likely been multiple times on the net already to order a variety of goods and services. Companies have a civic moral obligation, to say nothing of a fiduciary obligation, to be proactive and try and prevent stolen cards from going through in the first place. By doing so they lower the success rate for thieves and lessen the impact on society as well as their bottom line. In my own line of business I have developed a set of protocols for order verification that has resulted in a successful fraud rate of approx ~.5% of orders starting from an attempted fraud rate of ~45% of all credit card orders.

Databases must be secured and systems patched at all times. If doing this is too expensive for your business then your business case does not make sense. Lawsuits will put you out of business and into bankruptcy eventually. You would think that post TJMax that this would be self-evident but apparently it’s not. Look if you have critical data in a database then the only safe way to treat it, if you must keep it, is to encrypt the whole hard drive.

SANS has a very good (and short) PDF outline your best practices and what to look for

After the recent spate of database thefts and losses the courts are starting to take a very dim view of companies that are not making every effort to protect their data. Don’t expect to be able to plead difficulty, ignorance or cost to conform, when you are sued.

Personal

As mentioned earlier data/identity theft doesn’t necessarily take place over the net. The information needed by crooks to order credit cards in your name or to create duplicates of your real cards etc is often found other ways, including going through your garbage. Here’s some things you can do to protect yourself.

Watch your data VERY carefully. Keep your computer patched and up to date (yes this includes Mac users - they are at risk now too)
Don’t throw confidential information and receipts out - shred them first. If it has your name and address on it shred it. Put nothing in your garbage that can identify you and even then do not put your garbage out until collection day.
If you have a broadband connection don’t even think about not using a hardware router between you and your dsl/cable modem. the best protection bang for your buck
Get a credit report on a regular basis. If your identity has been stole this will alert you.
Get a separate credit card for use only on the net. If it is compromised it is easy to kill the card and get another one without interrupting your life
Use cheques (checks for you Yanks)? Don’t put your full name on the cheques, just your initials and last name. If you lose your cheques the thief will not know how you sign the but your bank will.
Don’t sign the back of your credit cards put “PHOTO ID REQUIRED” there instead. Hopefully the stores are being diligent and requiring their staff to check signatures.
Don’t put your full Credit Card number on a cheque when making a payment on an account - just put the last 4 digits.
Don’t ever put your SSN / SIN on a cheque (it’s illegal for anyone to request this of you in Canada)
Put all your cards and licenses from your wallet on a scanner or photocopy machine and copy them back and front. Add the phone numbers you need to call to cancel accounts. Put this in a safe place. If your wallet is lost you will know who to contact immediately.

If your identity or credit does get stolen here’s what to do immediately:

Cancel your credit cards immediately. see last item above. Know where to get this list of numbers
File a police report immediately in the jurisdiction where the crime happened. This will prove due diligence on your part to the credit card company/bank.
Call the major credit agencies immediately to place a fraud alert on your name and SSN /SIN. By doing this you will alert and company or bank requesting a credit check on you that your information has been stolen and that phone authorization will be required before any new credit can be approved.
- Equifax: 1-800-525-6285 (1 800 465-7166 in Canada)
- Experian: 1-888-397-3742
- Trans Union: 1-800-680-7289 (1 866 525-0262 in Canada)
- Social Security Administration fraud line (USA): 1-800-269-0271 (Social Insurance Number fraud 1 800 206-7218
  Select Option “3″. in Canada)

Wrap up

This has been barely a toe dip in the chilling waters of cybercrime but enough to whet the appetite for more information if you want it (see resources below.) The best you, as an individual, can do is protect your computer and you personal data as best you can and take all appropriate precautions. Be ever suspicious when dealing with your data.

If you are looking for an online home for your data choose your hosting provider and data center carefully. If you are getting a managed server do they take the appropriate precautions? If you are getting a self-managed server do they actually give you the ability to set your own security? Are they a reseller? Do they own the facilities? What sort of security do they have (don’t expect them to discuss specifics with you - that would be foolish on their part?). Ask the questions, do not assume, and if they can’t answer then move along.

Be Safe, Have Fun

Resources

Here is a list of further resources not used in this article but ones that should be of interest to anyone interested in this topic
1998
Cracking Cybercrime
2002
http://www.cert.org/archive/pdf/cybercrime-business.pdf
2003 NY Times: Identity Fraud
2004
http://law.jrank.org/pages/11951/Organized-Crime.html
http://www.thewhir.com/features/organized-cybercrime.cfm
http://www.crime-research.org/pages/sabad02_2004/
2005
http://www.csoonline.com/analyst/report3896.html
http://www.spamdailynews.com/publish/Organized_crime_offers_rent-a-zombie_deals.asp
http://pcworld.about.com/gi/dynamic/offsite.htm?site=http://pcworld.com/news/article/0,aid,122258,00.asp
http://smallbusiness.itworld.com/4385/050825internetsieges/page_1.html
http://www.baselinemag.com/article2/0,1540,1775903,00.asp
2006 http://www.mediabuzz.com.sg/channels-web-stories/organized-crime-will-continue-to-be-a-serious-web-threat-in-2007.html
http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=205981&start=0
2007
http://www.itjungle.com/tug/tug020107-story10.html
http://www.itsecurity.com/features/mafia-2-protect-yourself-it-security-060707/
http://www.itsecurity.com/features/mafia-2-security-crime-011807/

General

http://www.crime-research.org/articles/General
http://www.interpol.int/Public/TechnologyCrime/default.asp
http://www.lexinformatica.org/cybercrime/
http://www.vaonline.org/internet_reporting.html
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://ec.europa.eu/information_society/policy/cybercrime/index_en.htm
http://wiki.aa419.org/index.php/Main_Page
Studying Malicious Websites and the Underground Economy on the Chinese Web (.pdf 18 pages)
Cybercrime Law: comprehensive survey of current legislations from around the world includes the laws of 78 countries.

Technorati Tags: the web, hive of criminal activity, extortion, terrorism, telecommunications, phone phreaks, John T Draper, Captain Crunch, network hacking, viruses, Internet, cybercrime, stolen, credit card numbers, National Infrastructure Protection Commission, national infrastructure, SPAM, hackers, Jurisdictional arbitrage, Money Laundering, organized crime, bulk email servers, crime syndicates, Stolen Credit Cards, Cyber Extortion, Denial of Servic, DDoS, database thefts, credit agencies, fraud alert, SSN, SIN

Posted by Doug Alder at 4:39 pm

No comments yet.