Unlike the script kiddies of yesterday, today’s cyber-criminals are sophisticated, organized and out for a profit, according to a McAfee report released this month.
With the study, entitled “McAfee Virtual Criminology Report:
North American Study into Organized Crime and the Internet,”
McAfee hopes to educate the marketplace about the threats it is facing online, said Jack Sabbag, vice-president and general manager for Canada at McAfee Inc. in Pointe-Claire, Que.
“It’s a new kind of risk,” said James Lewis, a senior fellow and director of the Technology and Public Policy program at the Center for Strategic and International Studies in Washington, D.C., of the threat posed by professional criminals who are exploiting the Internet. And the threat of cybercrime has 40 per cent of online shoppers and a third of those who use online banking services questioning whether they need to be more cautious about using these tools, he said.
The threat is getting worse — two years ago, there were about 300 malicious threats emerging a month; today the figure has rocketed to 2,000, according to McAfee. This is largely due to a sharp increase in the number of bot nets. These are networks of computers that can be controlled remotely. One FBI estimate put the cost of cybercrime at about $400 billion in 2004 alone.
There are several types of cybercrimes, which Lewis went over during a press briefing. These include extortion, reputational damage, fraud, phishing, service disruption, information theft and money laundering. In the Internet version of extortion, criminals threaten to disrupt a company’s networks or launch a denial of service attack unless they agree to put money into an offshore bank account.
A blow to a company’s reputation can mean thousands or millions can be lost in sales, and such attacks can be carried out either by hackers or a competitor.
Phishing attacks are the cybercrime du jour, Lewis said. They are a success because “authentication remains a weak point.” It’s dangerous because it erodes people’s confidence in the Internet, he said. And for criminals, such crimes are low cost – it costs them virtually nothing to send out hundreds or thousands of e-mails. Even if the response rate is low, criminals can still reap a profit, Lewis said.
Information theft is probably the most profitable type of cybercrime, he said. In one case of industrial espionage, for example, one company in Israel was able to put spyware on its competitor’s networks and gather information.
According to McAfee, there are four types of cyber-criminals: script kiddies, cyber punks, hackers and crackers, and cyber gangs.
Script kiddies don’t generally know what they’re doing, he said.
“It’s roughly the same as magic.” Script kiddies have some words, and they don’t know how they work, but they can use them to accomplish various things. They are usually under the age of 20.
Cyber punks are generally not seeking profit, but notoriety and bragging rights.
Hackers and crackers, on the other hand, begin to realize that their dubious talent can be used to turn a profit, though they may also be out for accolades from the hacker community. There are hackers who are as sophisticated as the best programmers out there, Lewis said. They generally work alone.
Cyber gangs are groups of career criminals or hackers who have the technical expertise to move their activities onto the Internet. The groups are often based in countries with weak cybercrime laws.
“They are not what you think of when you say mafia, but in a way, they are as successful,” Lewis said. Cyber gangs are virtual entities and can be based in different countries. They use the Internet to communicate.
It’s the cyber gangs that have law enforcement officials worried today, he said.
“Ten years ago, we were mainly looking at amateurs, and now we’re looking at professionals.”
Much as organizations such as SETI Institute, which searches for extraterrestrial intelligence, realized that networks of thousands of computers, most of which are sitting idle, can be turned into super computers, cyber-criminals use bots to link computers together, Lewis said. Most unprotected computers are likely to be probed within an hour of being online and at least 50 per cent of machines in North America are infected in some way, he said.
Other cybercrime tools include keyloggers, bundling, denial of service, packet sniffers, rootkits, spyware, scripts, social engineering, trojans, worms, viruses and zombies.
Social engineering – in which criminals trick people into giving them information by preying on their vulnerabilities and needs – is an important element of cyber fraud, but one for which is difficult to defend against, Lewis said.
“It’s not something you can fix technologically,” he said.
Worms and viruses, on the other hand, are two modes of attack that “in some ways we have a handle on,” he said.
Attacks on mobile devices and voice over IP networks are areas where McAfee expects to see more attacks, according to the report.