Navigating the New Cybercrime Threatscape, Part 1
Cybercrime is pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual's identity to the complete disruption of a country's Internet connectivity due to a massive attack against its networking and computing resources. This is the first in a four-part series that will look at the history of cybercrime, its pervasiveness today, and how it has and will continue to impact society.
What exactly is cybercrime? Cybercrime is a type of crime where the element of trust is exploited through the use of computers (mobile, embedded, stand-alone or networked). Additionally, cybercrime also includes traditional crimes conducted via the Internet. For example, hate crimes, telemarketing and Internet fraud, identity theft, wire fraud, and credit card account thefts are considered to be cybercrimes when the illegal activities are committed through the use of a computer and the Internet.
The target of cybercrime centers on information -- the data that is electronically stored for retrieval and subsequent use. To get an idea of the scale of the threat of cybercrime, let's take a look at the overall use of the Internet, theft or exposure of personal data through data breaches and the amount of money (an estimated US$3.2 billion annually) lost to a cybercrime called "phishing" -- one of the most common online attacks. Total spam-based fraud netted $43 billion in 2008.
Crime is a sociological problem that hasn't been solved in 4,000 years of recorded history. Cybercrime is just the most recent vehicle. When asked why he robbed banks, Willie Sutton Jr. responded, "It's where the money is." As in the past, criminals will follow the money trail.
Spam, Viruses and Worms
To understand the current role cybercrime plays in our society, it is important to understand where and how it began.
From its beginnings in 1978, spam messages, which began as mass mailings with the common goal of advertising, have evolved into mailings with a more malicious intent. Moving off of simple email blasts, spam messages are now seen on blog comment boards, cellphone messages, instant messages (SPIM) and over VoIP networks. As the criminal intent has evolved, so have some of the tools to fight it. The passage of the CAN-SPAM Act made it illegal to send these types of messages without offering a way to opt out.
A few years after the first spam messages, the first virus was written. Much like spam messages, there was no initial ill intent with viruses. Rather than execute the malicious code they are now known for, early viruses were used as pranks -- silly messages would appear on the screen and then disappear. Over the years, these harmless pranks evolved from harmless annoyances to code with the ability to destroy data and wipe out hard drives.
A natural and more dangerous evolution of viruses, worms, first tracked back to 1988, are self-propagating. While a virus needed a person to physically install it on each system, worms rely on vulnerabilities in software and networks to spread. Microsoft and other companies now work to address these vulnerabilities with various security patches each time a new vulnerability is discovered.
Trojan software, aptly named for the Trojan horse, installs itself on a user's computer when the user unknowingly clicks on an infected link or attachment that then installs the program on the user's computer. Once the malware is installed on the user's computer, criminals can remotely perform various tasks such as extracting sensitive information, downloading private data such as credentials (usernames and passwords), or using the infected system to connect to a network of other similarly infected systems -- as in a botnet.
Phishing, DDoS and Botnets
The first widely known use of phishing occurred in 1996. Phishing attacks attempt to trick users into divulging their personal information to criminals who can profit, either from its use or resale. Initial phishing attacks took the form of typo-ridden emails, though they have now become much more sophisticated, using exact company logos and wording to trick even the most knowledgeable user. Phishing has become so successful, in fact, that it has been adopted by organized crime rings as a new channel for extortion, theft and blackmail.
What is possibly the first (and one of the largest) DDoS (Distributed Denial of Service) attacks took down several high-profile sites, including CNN, Yahoo and Amazon, in February of 2000. Much like viruses, these attacks began as simple pranks but quickly evolved into criminal operations. In some cases this is in the form of extortion, in which a criminal will threaten an attack unless a Web site owner pays him/her.
2003 marked the first known organized attempt to create a botnet, the Win32.Sobig worm, which infected approximately 500,000 machines. In the past year, the size of botnets and their attacks have grown significantly to several million compromised computers. No one has the exact numbers, but some botnets can be comprised of approximately 2 million to 4 million computers. These networked groups of computers, controlled by a bot herder, act as zombie computers and can be used to send spam, phishing attacks and crimeware.
Though each of these most common types of cybercrime began at different times with different intentions, their evolutions have followed the same path. Each grew to be utilized by cybercriminals for their own gains.
Cybercrime can best be thought of as the ultimate business plan. The compelling numbers behind cybercrime drive the criminals to go where the money is. What motivates cybercriminals? For the criminally minded, cybercrime is less risky, and the end result is the potential to steal a significant amount of information versus a traditional crime such as armed robbery. It proves a tempting path for many because of the low startup capital and the fact that these crimes can be perpetrated from anywhere (low, to no, attribution).
The fact that the legal system and law enforcement have not yet caught up to cybercrime's growth is another key motivator for committing cybercrimes. The difficulty in prosecuting, costly and extensive forensic analysis, jurisdictional squabbles, etc., all lead to few prosecutions. This is not to say that law enforcement is unaware of what is going on. As Karen Hewitt, U.S. Attorney for the Southern District of California, once said, "Not everyone on the Internet is a bad guy, but every bad guy is on the Internet."
While it can be argued that the scaling cybercrime threat is an unsolvable problem, the fact of the matter is that the problem has not been solved -- yet. Technological innovation has consistently leap-frogged security innovation primarily because security was not part of the initial design of the Internet. As Internet usage matures, the advances in cybersecurity continue to move forward in leaps and bounds. The question is not if cybersecurity innovation will catch up to cybercrime innovation, but when the two shall meet.
Regardless of the agreements or disagreements on how individuals, companies and governments are to combat cybercrime, one fact stands true: Doing nothing is the worst posture to assume. Cyber risk is as limitless as human determination, ingenuity and ignorance.
Jeff Debrosse is the North American research director at ESET