Environment
Two technological innovations really changed the landscape
of the Internet from something you ‘go on’ to something you are ‘always on’ –
the iPhone and cloud computing. Prior to the release of the iPhone in 2007,
getting on the Internet was ‘expensive’ in terms of time and location – you had
to be at your desktop or your laptop and the system had to be connected to the
Internet. Most often this was at work or at home, sometimes at a public access
point.
The iPhone, and smart phones that followed, essentially
put the Internet in the owner’s pocket on a very pleasantly usable device. Now
you always had the Internet with you and didn’t have to go out of your way to
use it. With this always on connectivity, individuals moved larger portions of
their lives to Internet connected systems and, in doing so, moved larger swaths
of their personal data to more systems – fitness activities, notes, photos,
social, even their homes.
Cloud computing it made it easy for computing-intensive companies
to set up shop. No longer was large capital investment required to build a
computing-intensive company. With rates measured and charged in pennies per
hour, companies could expand their computing infrastructure as needed. And they
could do it easily, with much of the traditional heavy lifting of data center
operations and networking already completed for them. The result has been an
increase in Internet-based companies – SAAS providers and web startups.
Motives and Crimes
In the first decade of the millennium, the financial
cybercrimes evolved from infrequent, one-man operations to frequent events
perpetrated through a highly sophisticated, horizontally integrated criminal
industry. Other criminal activities flourished too. While many of the crimes
had been seen in previous decades, the frequency and magnitude of the crimes hadn’t.
Money – Bank
Account Takeover
One of the biggest criminal developments of the 2000s was
the formation of an entire industry devoted to compromising and pilfering
online bank accounts. One of the earlier online account compromises occurred in
June of 2005, when a fraudster gained unauthorized access to a Miami
businessman’s online bank account using keystroke-logging malware and was able
to fraudulently wire over $90,000 to an account in Latvia.[1] By the third quarter of 2009, fraudsters successfully hijacked hundreds of U.S.
small business online accounts, hauling away over $25 million.[2]
This amount of criminal opportunity drove specialization,
with some enterprises selling access to compromised systems, some selling
custom malware, and others focusing on cashing out compromised accounts. A
specific malware class of ‘banking trojans’ developed to enable bypass of
online banking controls, such as Zeus, Sinowal, Carberp, SpyEye, and others. A
fully featured license for Zeus, at one point, was selling in the criminal
world for nearly $20,000.
Money - ATMs
ATMs are computer driven cash dispensers. If the account
balance and daily withdraw limit line up with an authenticated request, then
the machine will give the requested amount of money. So, what happens when you steal a few cards
and modify the account balances and daily withdraw limits? The WorldPay
division of Royal Bank of Scotland found out.
On November 8, 2008, an army of cashers armed with
compromised WorldPay pre-paid payroll cards descended on ATMs located in over
280 cities around the world and withdrew $9.5 million in cash in a twelve-hour
period. The cashers kept their commission, 30-50% of the take, and wired the
remainder to the scheme masterminds. The four leaders of the heist had
previously broken in to the Royal Bank of Scotland WorldPay network and stolen
data for 44 pre-paid payroll cards, cracked the payroll card PIN encryption,
raised the funds available on each account up to as high as $500,000, and
changed the daily ATM withdraw limit allowed. During the heist the hackers
monitored the withdraw transactions remotely from the RBS WorldPay systems and,
once the heist was finished, they attempted to cover their tracks on the RBS
network.[3]
Money – Payment
Card Theft
Grand scale payment card theft looks like Albert
Gonzalez’s ‘Operation Get Rich or Die Tryin’, a payment card hacking crew that
stole over 90 million payment card numbers from companies including Heartland
Payment Systems, TJ Maxx, 7-Eleven, and Office Max and caused over $200 million
in damages. Gonzalez and crew compromised the payment card processing systems
at these companies by exploiting well-known vulnerabilities in their wireless
networks and web applications. Upon arresting Gonzalez, agents found $1.6
million in his several bank accounts. His goal was $15 million, at which point
he planned to buy a yacht and retire.[4]
Money – Identity
Theft
Since 2001, identity theft has been the most common
consumer complaint registered to the Federal Trade Commission. In 2012 16.6
million U.S. residents, ages 16 and older, were victims of identity theft. The
vast majority of these thefts involved fraudulent use of an existing financial
account, such as a bank account or credit card account. The total cost of these crimes was estimated
at $24.7 billion in 2012.[5]
Activism
Persons with a potentially more aggressive approach to
activism took to the Internet in droves in the 2000s. One person’s 2010 New
Year’s resolution was to actively disrupt sites he deemed to support
“terrorists, sympathizers, fixers, facilitators, oppressive regimes and other
general bad guys.” Operating under the handle ‘The Jester’, he frequently delivered
on his resolution by launching Denial of Service attacks against sites he
deemed to fit within in his objective.
His primary targets were wikileaks.org, for releasing the U.S. State
Department cable messages, and sites or organizations he deemed to be aligned
with terrorism.
Unknown
numbers of people took up a variety of ‘hacktivist’ campaigns under the banner
of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous launched
DDOS attacks against serveral financial firms in response to their ban of
Wikileaks from their payment networks for publishing the U.S. State Department
cables. A small Anonymous unit was involved in raising the awareness of the
Stubenville High rape case. Anonymous went
after Sony to punish them for prosecuting George Hotz for successfully
unlocking PlayStation 3 security system.
Ilmars Polkans
campaign to expose fraud within the Latvian government was very effective and
is worth researching. When filing his tax returns, Ilmars ‘unintentionally’
stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see
all tax filings. What he found was fat salaries for government officials during
a time when citizens of Latvia, both public and private, were being forced to
endure deep pay cuts because of the recession. His campaign to expose the
injustice literally resulted in a public rebellion against the government.
[1] http://www.finextra.com/news/fullstory.aspx?newsitemid=13194
[2] http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/
Federal Indictment
http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html
[4]
http://www.wired.com/threatlevel/2010/03/tjx-sentencing
[5] http://www.bjs.gov/content/pub/pdf/vit12.pdf