Cyber-criminals are using the global economic recession as bait for malware attacks and as a tool to distract governments from taking a closer look at their growth, according to a new report.
The McAfee Virtual Criminology Report, an annual global study on organized crime and the Internet released Tuesday, states cybercriminals are continuing to win the war against lawmakers as the number of unique malware attacks grow and as governments continue to ignore the issue.
In 2007, the McAfee Avert Labs found 150,000 pieces of individual threats, said David Marcus, security director at McAfee Avert Labs. This year the amount of malware has increased 345 per cent to 1.4 million, and the labs are receiving 3,500 new threats each day.
“We are seeing more malware than ever before and the biggest driver is the shift in economy,” Marcus said. “As soon as we started seeing mergers in the news, we started seeing information about it in related scams.”
Criminals are also capitalizing on the shakiness of the economy by sending out phishing and spam campaigns designed to lure desperate individuals searching for job assistance online into clicking malicious links or are fooling users into becoming “money mules.”
“Money mules” are individuals recruited to launder cybercriminal gains under the guise of international sales representatives or shipping managers, said Marcus. Problematically, this illegal operation usually ends up in the “money mule” being caught rather than the central profiteer of the operation.
The Web sites have a professional-looking image, eloquently worded prose, and use the correct coding needed to filter though search engines and place high in the rankings. Individuals looking to regain a few extra dollars lost in the stock market may get sucked into these ‘get rich quick’ scams.
The report also notes an increased trend of users being asked to place malicious code on their Web sites in exchange for quick, easy cash.
All of the malicious code is written for economic gain, Marcus said. Ninety-five per cent of all malware McAfee sees are password-stealing Trojans, which gather valuable personal information, such as banking information and passwords to be sold down the road.
Marc Fossi, manager of development at Symantec Canada said phishing scams are increasingly web-based and are coming from legitimate web pages. Cyber-criminals are replacing content on trust Web sites with their own malicious content – fooling individuals into sending personal information to criminals rather than retailers.
The fact that the economy is being abused should not come as a surprise, Fossi said.
“There is nothing particularly new about these attacks. In the past various attackers have taken advantage of headlines as a social engineering trick. They grab onto what’s on the public mind and take advantage of that.”
Typically these phishing scams are global issues, Fossi said. There won’t be any unique threats for Canadians because we all use the same software and visit the same Web sites, but the messages in spam will be tailored to include Canadian banks, etc. The economy is a perfect event to latch onto because it affects people everywhere, he said.
A key problem in the wake of increased economic recession-related cybercrime, according to the report, is the lack of laws protecting Internet-users against attack.
Despite the economic cost of cyber attack and risk to national security, governments are floundering when it comes to viewing cyber security as a top issue, focusing their attention on the recession or terrorism concerns instead.
In the United Kingdom, the House of Lords science and technology committee warned the government that the Internet was becoming a “Wild West” outside the law, but subsequent legislation was turned down as unnecessary.
After several data breaches against the UK government, the House of Lords has come around and reiterated basic recommendations and creating a Police Central e-crime Unit, which will begin in Spring 2009, but it has taken a lot of time.
The United States spends the most on cybercrime and President-elect Barack Obama is planning on appointing a national cyber-advisor but details of their cyber plan are still vague.
In contrast, Canada does not have an overall cyber strategy, anti-spam legislation or any recent additions to the Criminal Code to address these issues, said Privacy Commissioner of Canada, Jennifer Stoddart.
“It is an unthinkable omission,” she said. “We are absolutely not doing enough and the McAfee report makes me very concerned. I think there is a general lack of awareness of the risk,” she said. “In order to have laws we need to have public awareness.”
There is also a need for international cooperation on cybercrime, Stoddart said. She is currently working with the Organization of Economic Cooperation and Development (OECD) on privacy law to create a mutual assistance protocol.
The majority of spam we see comes from Russia, said Marcus, not from teenagers in North America or from China as often rumored.
According to McAfee’s report, cross-border law enforcement is one of the major impediments to battling cybercrime. Nations deal with malware locally, but it is a global issue.
“Cybercriminals communicate across boundaries,” Marcus said. “The spam I get when I’m up here isn’t written up here – it’s written in different parts of the world sent from computers from different parts of the world. Until our industry and governments embrace that understanding – we will never make local progress – end of story.”
Governments also need to recruit police officers and investigators with IT skills, Marcus said. There is no well-defined career path for fighting cybercrime and the good ones are poached for private companies.
“When we combine poor police investigations, undertrained judges and weak legislation on the issue, we create a climate that is much more conducive to cybercrime.”