Combating Cybercrime

by Jack Sebbag

Cybercrime has hit the big leagues. The Federal Bureau of Investigation's Most Wanted list now includes a hacker. Saad Echouafni is wanted on computer intrusion charges for allegedly plotting cyberattacks against his competitors in the satellite reseller business.

In fact, despite some high-profile cases, cybercrime might be getting worse. There is a growing trend to pursue cybercriminals and press charges, and more arrests and successful prosecutions now make the headlines, but the successful prosecutions to date have been the easy ones.

David Smith, the creator of the Melissa virus, received 20 months in jail in 2000, but even the prosecution agreed he did little to conceal his identity. In Canada's most notorious computer crime, the perpetrator, Montreal's Mafiaboy courted his own downfall: he publicly boasted about his exploits on internet bulletin boards. It was bad enough that his Distributed Denial of Service attacks on sites like Amazon and eBay cost hundreds of millions of dollars - when he hinted strongly that his next victims might be US government agencies like NASA, an arrest quickly followed.

Even more recently, Sven Jaschan, the 18-year old German who authored 2004's Sasser virus, was swiftly arrested after his creation attacked millions of computers around the world. Police had an easy time finding him; some friends turned him in, claiming a US$250,000 reward from Microsoft.

The 'glory' days of computer viruses when hackers wrote malicious code to show off for their friends may be behind us. Increasingly the new motivator is 'gain'. As Jimmy Kuo, a colleague at McAfee's Avertlabs subsidiary said recently, "In days gone by, the anti-virus companies got paid, and the hackers didn't. Today, the malicious code writers are much more likely to seek profit. That will inevitably mean they become more creative in their tactics and more aggressive in their execution."

Two men and two women now facing charges in the United Kingdom may be more typical of the new breed of cybercriminal. The quartet, Russian, Estonian and Ukrainian, used 'phishing' tactics to get illegal access to banking information and steal hundreds of thousands of dollars. 'Phishing' attacks are sophisticated, well-coordinated schemes that use fake emails, apparently from financial institutions, to lure people to equally fake websites. There, the account holders are directed to enter confidential details of their bank accounts. Many do.

It is clear that the phishers have access to excellent databases of email addresses, because the potential victims are sorted out geographically - only US-based recipients receive information purporting to come from US-based banks, for example. The phishers can mount attacks within hours: create phony websites, send out emails, gather confidential information, loot bank accounts and then vanish.

Unfortunately, many major banks, or their insurance companies, do not seem inclined to take the steps necessary to limit the damage done by phishing. Today, it takes an average 52 hours to locate and take down 'phantom' websites, much too long to be effective. If financial institutions and law enforcement agencies dedicated the appropriate resources and personnel to this challenge, this method of attack would quickly become much less successful. Until that happens, any investment made to enable online banking could be very much at risk if enough customers lose confidence in the system.

To date, attacks against government financial transaction systems have been rare: most implement and maintain the best up-to-date protection available and softer touches are still easy to find. On the other hand, some politically motivated attacks against government websites have succeeded. Most hackers have been content with defacement and caused little real damage, but most governments have responded by 'hardening' important sites. Critical government communications links are military targets and well beyond the range of even the most gifted hackers.

The cybercriminals' newfound profit motive is marching lockstep with a growing technological trend. Rather than simply unleashing viruses randomly into the 'wild' in the hopes they will create some negative consequence, newer attacks are based on published vulnerabilities and exploit a specific weakness before software vendors can write patches and users can receive and install them. Rather than random destruction, the latest attacks have some deeper purpose: they may be dredging for personal information like credit card numbers, gathering up secret corporate information or even 'recruiting' computers to act as relay stations for later attacks.

Gangs based in the former Soviet Union have launched a series of extortion attempts against online gambling sites in the UK, threatening to unleash crippling Distributed Denial of Service attacks unless they received large sums of money. (Ironically enough, the gangsters who attempt these high-tech crimes are sowing the seeds of their own destruction, because any transfer of funds means police can immediately start to play a game they know very well - tracing the movement of money.)

Many cyberattacks, like phishing, exploit the fragile foundations of the internet, a communications network that was assembled quickly, in a vanished climate of mutual interest and trust. It is all too easy for criminals to cover their tracks on the internet. For example, in email, the most commonly used application, it is relatively easy to take on an assumed identity.

There is some deterrent effect in rewards, arrests and prosecutions, but they need wide publicity to make them more effective. Unfortunately, many organizations believe there is a great deal of extra work involved in gathering evidence for a prosecution, as well as the potential and unpredictable loss of personnel time testifying in court. In situations where the organization routinely collects and stores detailed data, it may be much easier to assist with a prosecution.

When an organization is well prepared, IT personnel may be able to analyze data, recognize attempted attacks and forward the relevant information to law enforcement officials. On the other hand, it can be extremely difficult for IT personnel to respond to blanket requests for information. The more carefully worded the requests from police or prosecutors, the more likely it is that organizations will be willing to comply.

Criminals have certainly learned they can count on many companies and institutions to remain quiet in the wake of a successful attack and swallow their losses. Although companies rarely mention possible loss of reputation or ridicule by competitors as an inhibiting factor, it is clear it can play a role.

In the case of Sven Jaschan, the Sasser worm author, a public call for evidence to assist with his prosecution was notably unsuccessful. Even worse, a German IT security company offered him a job. It is obvious there is a long way to go before we can present a united front against crime on the internet.

Can governments do more? Around the world, they could always dedicate more resources to economic crime on the internet, but in most jurisdictions, law enforcement already has the tools to catch cybercriminals and prosecutors have the laws they need to get convictions. The real issue is the transnational nature of cybercrime and the bad guys' ability to attack anonymously. At the global level, governments will probably get the most for their money through faster and closer coordination.

At the national level, they need to teach individuals and organizations that the internet is just another place to do business - buyer beware.

Jack Sebbag is the Canadian general manager and vice-president of McAfee. For further information contact jack_sebbag @mcafee.com or www.mcafee.com