State-sponsored cybercrime is a touchy subject for law enforcement because of the political complications that can result, reports Matthew Heller.
When Hugh Jackman's hacker character in the 1991 movie Swordfish attempted to steal $9.5 billion from a secret U.S. government slush fund, he used his advanced computer skills to write elaborate code. Ten years later, that strategy is getting a little archaic. According to information security experts, the hacker of today is more likely to use a much less technical process to gain entry to the vault.
With a method known as social engineering, hackers don't need to find the vulnerabilities in a computer system, they exploit the vulnerabilities of the human beings who use the system. Most often, this involves scammers sending emails purporting to be from legitimate businesses and agencies to lure consumers to counterfeit websites designed to elicit financial data, such as usernames and passwords.
“Apart from increasing globalization ... one of the biggest things [in cybercrime] is the combination of hacking and social engineering,” says Seth Kosto, one of two prosecutors in the Computer Hacking and Intellectual Property (CHIP) unit of the U.S. Attorney's Office in New Jersey. “It's an example of cybercriminals recognizing that the coolest way into a computer system is not necessarily the smartest way. They don't have to figure out the encryption scheme. They figure out whatever the key is to open the door.”
Social engineering strategies, that is, deceiving email recipients into passing along valuable information, is the foundation of the so-called phishing scams that are now so prevalent on the internet. “[Criminals] send the inquiry from an email address that is deceptively similar to a legitimate one,” says Kosto.
In May 2009 alone, the Anti-Phishing Working Group (APWG), an industry association focused on eliminating identity theft and fraud, received 37,165 unique phishing reports – seven percent more than any month in 2008. Highlighting the global nature of cybercrime, Sweden replaced the U.S. as the top host country for phishing sites in June 2009.
This is a more indirect phishing method than technical subterfuge schemes that plant “crimeware” onto PCs to steal credentials. For example, rogue anti-malware programs, such as Windows PC Defender, are a particularly insidious form of phishing that actually install malware by preying on computer users' nervousness about security. According to APWG, more new strains of rogue anti-malware were created in the first quarter of 2009 than in all of 2008, and more than 200 hacker gangs are now in the rogueware business. The total number of crimeware-infected computers rose more than 66 percent between the end of the fourth quarter of 2008 and the end of the first half of 2009, according to APWG
What's being doneWith so much cybercrime — and so much of it crossing international borders — law enforcement resources are stretched. But U.S. agencies, often in cooperation with overseas counterparts, are having some success. In one of the biggest cases so far, Albert Gonzalez was sentenced in March to two concurrent terms of 20 years in prison for leading a crime ring that hacked into the payment card networks of major U.S. retailers, including T.J. Maxx, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. After a global investigation, prosecutors indicted him along with two Russian accomplices.
Last year, two Romanians accused of sophisticated phishing attacks targeting major financial institutions, including PayPal and Citibank, were extradited to the United States. Petru Bogdan Belbita was arrested in Canada and Cornel Ionut Tonita was arrested in Croatia. The investigation involved Interpol, the Romanian National Police, the FBI, and police in Canada and Croatia. Among other things, the hackers allegedly took down the website of a Vermont savings and loan with a denial-of-service attack and then sent a phishing email to the bank's customers, asking them to provide sensitive information for an upgrade of the bank's computer systems.
Kosto and Erez Liebermann, his colleague in the CHIP unit, credit the Council of Europe Convention on Cybercrime, which came into force in July 2004, with enhancing global cybercrime fighting. The U.S. Senate ratified the convention in 2006 and on June 4, Turkey became the forty-third country to sign the agreement. The CHIP prosecutors say they have worked with agencies in Italy, France, Latvia and the UK. One investigation of a PBX system hacking ring resulted in the arrests of 10 people in Italy and seven in the Philippines. In the case of Russia, which does not have an extradition treaty with the U.S., “We have helped them prosecute their own [cybercriminals],” Kosto says.
The convention provided for the creation of a 24/7 network for ensuring speedy cooperation between law enforcement agencies in cases of scams executed using networks of hacked computers located around the world. “We can get other countries to immediately preserve data for us,” says Liebermann. “We can preserve data very quickly.”
The FBI has recently begun embedding agents into law enforcement agencies in the cybercrime hotbeds of Estonia, Ukraine and the Netherlands. A similar operation was successful in Romania in 2006, resulting in close to 100 arrests. Security experts now rank Ukraine – the purported home of the creators of the Zeus trojan, one of the most infamous of all malware strains – above neighboring Russia as a cybercrime problem.In addition, an Estonian company has been linked to a widespread rogueware operation that displayed the message: “You are infected,” to 1.8 million internet surfers in July 2009.
For Kosto, the embedding of agents has made communications a lot easier. “I can pick up the phone and call agents already on the ground,” he says. “It's a good start.”[sidebars]
State sponsor: Continuous struggle
Security experts say the cybercriminals are becoming ever more sophisticated and, in some cases, may even have the support of foreign governments. “The most serious development in cybercrime is state-sponsored cybercrime,” argues Mark Rasch, a former head of the computer crimes unit at the U.S. Department of Justice, who now consults on security matters for corporate and governmental clients. He points to Google's recent allegations that hackers backed by the Chinese government used its service to spy on human rights activists. In the run-up to the Beijing Olympics in 2008, hacker groups compromised the email system of the Office of the Dalai Lama.
“These are people who with the total support of a foreign government take over U.S.-based networks ... for the purpose of obtaining information, stealing money or to be ready to launch an attack in the event of a full-out cyber war,” Rasch says. “In some jurisdictions,” he adds, “these are government employees. Or they are hired hackers. In some cases, governments offer a bounty [which they post] on message boards and hacker sites.”
State-sponsored cybercrime is a touchy subject, though, for law enforcement because of the political complications that can result from investigations. Liebermann won't comment on what U.S. prosecutors are doing to address it, but notes that Estonian websites were the target of a series of denial-of-service attacks in the spring of 2007. The attacks followed the removal of a disputed Soviet statue from Tallinn, the Estonian capital. Estonian officials said at the time that the Kremlin might be involved.
As well, a story in the New York Times in 2007 included an ominous quote from an Estonian Defense Ministry spokesman, Madis Mikko: “If, let's say, an airport or bank or state infrastructure is attacked by a missile, it's clear war, but if the same result is done by computers, then what do you call it? Is it a state of war? Those questions must be addressed.” – Matthew HellerPhoto: Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, announces the arrests of dozens of people in an identity theft ring. U.S. and Egyptian authorities charged 100 people with helping the ring steal money from thousands of bank accounts.