Friday, January 10, 2014

Cybercrime in the 2000s

Environment
Two technological innovations really changed the landscape of the Internet from something you ‘go on’ to something you are ‘always on’ – the iPhone and cloud computing. Prior to the release of the iPhone in 2007, getting on the Internet was ‘expensive’ in terms of time and location – you had to be at your desktop or your laptop and the system had to be connected to the Internet. Most often this was at work or at home, sometimes at a public access point.

The iPhone, and smart phones that followed, essentially put the Internet in the owner’s pocket on a very pleasantly usable device. Now you always had the Internet with you and didn’t have to go out of your way to use it. With this always on connectivity, individuals moved larger portions of their lives to Internet connected systems and, in doing so, moved larger swaths of their personal data to more systems – fitness activities, notes, photos, social, even their homes.

Cloud computing it made it easy for computing-intensive companies to set up shop. No longer was large capital investment required to build a computing-intensive company. With rates measured and charged in pennies per hour, companies could expand their computing infrastructure as needed. And they could do it easily, with much of the traditional heavy lifting of data center operations and networking already completed for them. The result has been an increase in Internet-based companies – SAAS providers and web startups.

Motives and Crimes
In the first decade of the millennium, the financial cybercrimes evolved from infrequent, one-man operations to frequent events perpetrated through a highly sophisticated, horizontally integrated criminal industry. Other criminal activities flourished too. While many of the crimes had been seen in previous decades, the frequency and magnitude of the crimes hadn’t.

Money – Bank Account Takeover
One of the biggest criminal developments of the 2000s was the formation of an entire industry devoted to compromising and pilfering online bank accounts. One of the earlier online account compromises occurred in June of 2005, when a fraudster gained unauthorized access to a Miami businessman’s online bank account using keystroke-logging malware and was able to fraudulently wire over $90,000 to an account in Latvia.[1] By the third quarter of 2009, fraudsters successfully hijacked hundreds of U.S. small business online accounts, hauling away over $25 million.[2]

This amount of criminal opportunity drove specialization, with some enterprises selling access to compromised systems, some selling custom malware, and others focusing on cashing out compromised accounts. A specific malware class of ‘banking trojans’ developed to enable bypass of online banking controls, such as Zeus, Sinowal, Carberp, SpyEye, and others. A fully featured license for Zeus, at one point, was selling in the criminal world for nearly $20,000.

Money - ATMs
ATMs are computer driven cash dispensers. If the account balance and daily withdraw limit line up with an authenticated request, then the machine will give the requested amount of money.  So, what happens when you steal a few cards and modify the account balances and daily withdraw limits? The WorldPay division of Royal Bank of Scotland found out.

On November 8, 2008, an army of cashers armed with compromised WorldPay pre-paid payroll cards descended on ATMs located in over 280 cities around the world and withdrew $9.5 million in cash in a twelve-hour period. The cashers kept their commission, 30-50% of the take, and wired the remainder to the scheme masterminds. The four leaders of the heist had previously broken in to the Royal Bank of Scotland WorldPay network and stolen data for 44 pre-paid payroll cards, cracked the payroll card PIN encryption, raised the funds available on each account up to as high as $500,000, and changed the daily ATM withdraw limit allowed. During the heist the hackers monitored the withdraw transactions remotely from the RBS WorldPay systems and, once the heist was finished, they attempted to cover their tracks on the RBS network.[3]

Money – Payment Card Theft
Grand scale payment card theft looks like Albert Gonzalez’s ‘Operation Get Rich or Die Tryin’, a payment card hacking crew that stole over 90 million payment card numbers from companies including Heartland Payment Systems, TJ Maxx, 7-Eleven, and Office Max and caused over $200 million in damages. Gonzalez and crew compromised the payment card processing systems at these companies by exploiting well-known vulnerabilities in their wireless networks and web applications. Upon arresting Gonzalez, agents found $1.6 million in his several bank accounts. His goal was $15 million, at which point he planned to buy a yacht and retire.[4]

Money – Identity Theft
Since 2001, identity theft has been the most common consumer complaint registered to the Federal Trade Commission. In 2012 16.6 million U.S. residents, ages 16 and older, were victims of identity theft. The vast majority of these thefts involved fraudulent use of an existing financial account, such as a bank account or credit card account.  The total cost of these crimes was estimated at $24.7 billion in 2012.[5]

Activism
Persons with a potentially more aggressive approach to activism took to the Internet in droves in the 2000s. One person’s 2010 New Year’s resolution was to actively disrupt sites he deemed to support “terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.” Operating under the handle ‘The Jester’, he frequently delivered on his resolution by launching Denial of Service attacks against sites he deemed to fit within in his objective.  His primary targets were wikileaks.org, for releasing the U.S. State Department cable messages, and sites or organizations he deemed to be aligned with terrorism.



Unknown numbers of people took up a variety of ‘hacktivist’ campaigns under the banner of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous launched DDOS attacks against serveral financial firms in response to their ban of Wikileaks from their payment networks for publishing the U.S. State Department cables. A small Anonymous unit was involved in raising the awareness of the Stubenville High rape case.  Anonymous went after Sony to punish them for prosecuting George Hotz for successfully unlocking PlayStation 3 security system.

Ilmars Polkans campaign to expose fraud within the Latvian government was very effective and is worth researching. When filing his tax returns, Ilmars ‘unintentionally’ stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see all tax filings. What he found was fat salaries for government officials during a time when citizens of Latvia, both public and private, were being forced to endure deep pay cuts because of the recession. His campaign to expose the injustice literally resulted in a public rebellion against the government.




[1] http://www.finextra.com/news/fullstory.aspx?newsitemid=13194
[2] http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/
Federal Indictment
http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html
[4] http://www.wired.com/threatlevel/2010/03/tjx-sentencing
[5] http://www.bjs.gov/content/pub/pdf/vit12.pdf