How cyber crime went professional

A huge increase in internet crime is only part of the picture. The bigger worry for many organisations is that they are now being individually targeted by criminals using sophisticated technology. By Sarah Arnott

As Russian and Georgian soldiers were flinging explosive artillery shells at each other, both sides in the South Ossetia conflict were also exploiting the very latest in cyber aggression, using techniques honed by professional gangsters specialising in online crime.

Although the attacks are largely untraceable, both sides are pointing the finger firmly at each other. Russian reports claim that South Ossetian government sites were brought down by Georgian hackers. But Georgian institutions, including government departments and the National Bank, have also suffered a string of attacks. Georgia's foreign ministry is posting all news content to the Polish President's website after its own was taken out when President Mikheil Saakashvili's pages were replaced with pictures of Adolf Hitler. Meanwhile, reports also claim that Russia's RIA Novosti news agency site is being targeted and crashed.

Such tactics are not only political weapons. The start of the Beijing Olympics last week kicked off a slew of malicious internet activity. Some are relatively indiscriminate – using malicious software embedded in innocent websites, often of news organisations with audience numbers boosted by their sports coverage, which then infects the visitor's computer.

Some are more sophisticated. MessageLabs, a security company, detected a bogus email sent to at least 19 national sporting organisations that purported to be International Olympic Committee information on media plans for the Games, but was actually carrying a trojan which takes control of the PC and scans all files and networks to steal information.

Hacking, which was once the preserve of tech-savvy teenagers showing off, has turned into big business. By some estimates, organised crime represents up to 20 per cent of the global GDP, and cybercrime is the fastest-growing part of it. And as the perpetrators become more experienced, the attacks become more precise.

"There is an increase in targeted attacks on specific pieces of high-value information, whether that is directors of companies and their personal pension investments or attacking corporate networks to try to take intellectual property (IP) out of the organisation and move it to the developing world," said Chris Potter, a partner at the consultancy PricewaterhouseCoopers.

The term cybercrime covers a multitude of sins. Spam campaigns and infected web pages can be used to embed spyware into end users' computers – to monitor keystrokes and steal anything from single credit card details to a large chunk of corporate data.

Or they can be used to recruit the computer into a "botnet", a network of hijacked PCs that can be used either to launch more spam, or to participate in denial of service attacks (DoS) that target a website and bombard it with traffic until it crashes.

The cyberwarfare over South Ossetia is of this type. "The computer in Aunt Ethel's back bedroom may be right now playing a role in a cyber warfare campaign," explained Graham Cluley, a senior consultant at Sophos, a security company. "We don't know for certain it is Russia attacking Georgia and vice versa, or if the attacks are sanctioned by the military, but there is clearly disruption taking place as the governments take pot shots at each other."

As internet crime has become professionalised, it has spawned a shadow economy that could be worth as much as $105bn (£55bn) every year.

"The shadow economy is very similar to the real world economy," said Maksym Schipka, a senior architect at MessageLabs. "Specialisation drives competition, and high-quality goods, and all the things that make the real world economy tick."

Different groups in this new market provide different services. One creates the malicious software, one collects and sells lists of target identities, one distributes the virus using a botnet rented from somewhere else, and so on (see panel, right). Trading, which often takes place between criminals thousands of miles apart, is conducted on online forums and chatrooms that are relatively easy to find using internet searches. Payment is made using online payment systems such as eGold, not unlike in legitimate transactions.

In some ways, in fact, the cybercrime economy is closer to Adam Smith's original concept of a free market, because it is not subject to external price regulation, namely taxes. "The shadow economy is much freer than ours, and therefore price is regulated by supply and demand alone," Mr Schipka said.

Notwithstanding its capitalist purity, the majority of electronic crime is unsophisticated in intent and some 95 per cent is designed for financial fraud and theft. But about 5 per cent is for the purposes of espionage, either political or industrial, using techniques that are ever-more refined, pursuing ever-more specific targets – often highly placed executives.

Partly, such targeting is the result of an efficiency drive that would not be out of place in any market. From the corporate spy's perspective, the most promising recipients of infected emails are likely to be executives – they have access to all of a company systems, and are often too busy to think about whether incoming documents are real or bogus before sending them on.

Using complex programs, criminals selling identities can automatically trawl corporate "About Us" web pages, and marry up biographical information with email address formats to produce bespoke lists of contact details for executives of a certain level in a given geography or industry sector.

But the hardest attacks to defend against are not financially motivated. The most common targets are IP-rich industries, such as in financial services, defence and aerospace, and it can be impossible to spot the problem until a rival comes up with an uncannily similar product, or a developing world government suddenly has better warplanes. "These are the scariest problems because they are very difficult to notice, and can go undetected for years," said Mr Schipka.

Such approaches are highly sophisticated, and very expensive. One major aerospace group found out that an apparently innocent Microsoft Word document, sent to a single executive, contained a piece of malware that came to life if the host computer ran a specific engineering calculation programme. Once launched, it stole very specific, highly technical information that could be used for designing new rockets, which was then sent to an anonymous "drop" address.

"It was difficult to tell who paid for the attack, but the type of information stolen suggests it would have been worth hundreds of thousands of dollars," Mr Schipka said. "No individual would be interested in that kind of data, because they couldn't do anything with it."

For law enforcers, the problem is how to fight crimes that are diverse, technical, sometimes undetectable, often unreported, and conducted by loose affiliates from multiple jurisdictions all over the world.

Last week's arrest of 11 people alleged to have participated in the theft of 100 million credit card details highlights the difficulty: charges are being brought against two Chinese, three Americans, three Ukrainians, an Estonian, a Belarussian and one suspect known only by his online moniker, Delpiero.

Shadow economy: Just like the real world

* Malware is the software that drives all types of cyber attack, from high level espionage to basic theft. Off-the-shelf malware can cost from $50 (£26) to $3,500, depending on the sophistication of its targeting, what kind of information it can grab, and what kind of security it can circumvent. You can also buy a service to monitor anti-virus developments and tweak your malware accordingly – charging $25 to $60 per month – or a premium service to make it undetectable.

* The next step is finding targets. A basic list of unqualified email addresses costs about 1/10th of a cent per address; a complete identity, including UK national insurance number, could set you back by $5 a piece. For a tailored solution – corporate executives within a certain geography or industry sector – expect to pay bespoke prices.

* The next step is to send the program out, using a "botnet" of thousands of innocent computers hijacked by hackers. Services can be bought piecemeal, costing about $10 for a million mails. Or the botnet can be rented and used for spamming, hacking, denial of service attacks, or anything else you might have in mind. One hour of a reasonable-sized network of 8,000 to 10,000 computers costs about $200.

* The most common aim is theft of credit card details. A successful attack might yield 100,000 numbers within a week. You can then either exploit them yourself, or sell the list on an online forum for 2 per cent to 5 per cent of the remaining balances. If the average card on your list has remaining credit of $1,000, each set of details is worth around $25 – bringing in $2m.

* A good way to convert the card numbers to cash is to buy commodity goods, often electronics, online and arrange delivery to a "drop" address. A minor hireling, who may or may not be criminally complicit, receives the parcel and takes it elsewhere, often to a railway station locker. The final link is the person that collects from all the drops and sells the goods for, perhaps, 70 per cent of their value – typically just over half the resale value, the rest reverting to you.

* In case you are concerned about being ripped off buying your malware or selling your credit card list, there are also guarantee services. For between 2 and 5 per cent of the transaction value, the third party will hold both goods and payment in escrow pending verification.

Start your day with The Independent, sign up for daily news emails
ebooks
ebooksA special investigation by Andy McSmith
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

iJobs Job Widget
iJobs Money & Business

Ashdown Group: Junior Application Support Analyst - Fluent German Speaker

£25000 - £30000 per annum + benefits: Ashdown Group: A global leader operating...

Recruitment Genius: Customer Service Advisor

£15000 - £16000 per annum: Recruitment Genius: A Customer Service Advisor is r...

Ashdown Group: Trainee Consultant - Surrey / South West London

£22000 per annum + pension,bonus,career progression: Ashdown Group: An establi...

SThree: HR Benefits Manager

£40000 - £50000 per annum + pro rata: SThree: SThree Group have been well esta...

Day In a Page

Syrian conflict is the world's first 'climate change war', say scientists, but it won't be the last one

Climate change key in Syrian conflict

And it will trigger more war in future
How I outwitted the Gestapo

How I outwitted the Gestapo

My life as a Jew in wartime Berlin
The nation's favourite animal revealed

The nation's favourite animal revealed

Women like cuddly creatures whilst men like creepy-crawlies
Is this the way to get young people to vote?

Getting young people to vote

From #VOTESELFISH to Bite the Ballot
Poldark star Heida Reed: 'I don't think a single bodice gets ripped'

Poldark star Heida Reed

'I don't think a single bodice gets ripped'
The difference between America and Israel? There isn’t one

The difference between America and Israel? There isn’t one

Netanyahu knows he can get away with anything in America, says Robert Fisk
Families clubbing together to build their own affordable accommodation

Do It Yourself approach to securing a new house

Community land trusts marking a new trend for taking the initiative away from developers
Head of WWF UK: We didn’t send Cameron to the Arctic to see green ideas freeze

David Nussbaum: We didn’t send Cameron to the Arctic to see green ideas freeze

The head of WWF UK remains sanguine despite the Government’s failure to live up to its pledges on the environment
Author Kazuo Ishiguro on being inspired by shoot-outs and samurai

Author Kazuo Ishiguro on being inspired by shoot-outs and samurai

Set in a mythologised 5th-century Britain, ‘The Buried Giant’ is a strange beast
With money, corruption and drugs, this monk fears Buddhism in Thailand is a ‘poisoned fruit’

Money, corruption and drugs

The monk who fears Buddhism in Thailand is a ‘poisoned fruit’
America's first slavery museum established at Django Unchained plantation - 150 years after slavery outlawed

150 years after it was outlawed...

... America's first slavery museum is established in Louisiana
Kelly Clarkson: How I snubbed Simon Cowell and become a Grammy-winning superstar

Kelly Clarkson: How I snubbed Simon Cowell and become a Grammy-winning superstar

The first 'American Idol' winner on how she manages to remain her own woman – Jane Austen fascination and all
Tony Oursler on exploring our uneasy relationship with technology with his new show

You won't believe your eyes

Tony Oursler's new show explores our uneasy relationship with technology. He's one of a growing number of artists with that preoccupation
Ian Herbert: Peter Moores must go. He should never have been brought back to fail again

Moores must go. He should never have been brought back to fail again

The England coach leaves players to find solutions - which makes you wonder where he adds value, says Ian Herbert
War with Isis: Fears that the looming battle for Mosul will unleash 'a million refugees'

The battle for Mosul will unleash 'a million refugees'

Aid agencies prepare for vast exodus following planned Iraqi offensive against the Isis-held city, reports Patrick Cockburn