Home > Articles > Security > General Security and Privacy

The Motives of Internet Criminals: Why They Want Our Money

Anthony Nesavich and William H. Inmon explain how greed mixes with advanced internet tools, evolving techniques, and complex crime organizations to create explosive growth in internet crime.
This chapter is from the book

Have you ever seen a bank robbery? Before the Web, the chance that you would have seen an actual bank robbery was quite small. Today, though, if you have e-mail, it is almost certain that you have been targeted by bank robbers.

By the last count, I receive more than 2,500 criminal e-mails a day. These criminals want my money; they want your money. How are we going to stop them?

The first step toward finding an answer is to understand how the crimes work. Knowing how Internet crimes work will do little to reduce the number of victims: it will only take a little longer for the criminals to find them. It is, however, the best way to make sure you do not become the victim.

Internet crime is real. It's organized. Internet criminals have stolen hundreds of millions of dollars and caused billions of dollars' worth of damage. The number of attacks and their sophistication is on the rise, and this trend is expected to continue for the next several years.

In the early years of the Web, Internet crime was mostly the actions of teenage vandals looking for a way to pass time. Attempting to make money from hacking was considered too risky, too likely to attract the attention of the authorities. Today it's all about the money.

One consequence of this change is that Internet crime has become much easier to predict. Only the most obsessive vandal would attempt the same crime in the same way, again and again for long enough for investigators to build a profile. The professional criminal does not become bored so easily and will keep doing what he is doing until the act no longer makes money or he is caught.

The Internet criminal changes his tactics frequently. The techniques that Internet criminals used to perform bank fraud three years ago simply do not work today. The techniques they are using today are not likely to be as profitable or as safe in three years' time. But the goal of the professional Internet criminal remains the same—to take money from other people—and so do the three basic strategies that he uses to achieve this goal: extortion, impersonation, and persuasion.

  • Extortion—Criminals have operated extortion rackets for millennia. The Internet is a major engine of the global economy. Many companies cannot carry out their business when their Web site is down. A criminal who can make a site unreachable may find businesses willing to pay for protection.
  • Impersonation—The money that the criminals are after is mostly stored in banks. Taking the money from the bank directly is far beyond the capabilities of most Internet criminals. Instead, they attack the system at its weakest link: the customer. The customer has access to his bank account through the Web. All the attacker needs to do is to cause the customer to divulge his account name and password.
  • Persuasion—The most pervasive type of Internet crime is the confidence trick. The larger the pool of potential victims that the attacker can reach, the less credible the story needs to be. The Internet allows a criminal to reach an audience of more than a billion.

Internet crime is a mile wide and an inch deep. What appears at first glance to be something new invariably turns out to be a new way to perform an old scam.

The Tools of the Trade

The tools of the Internet criminal are chosen for effectiveness rather than sophistication. The Internet allows the criminal to contact a vast audience of potential victims, to communicate in ways that are difficult to trace, and to collaborate with other criminals. Criminals have always done such things but on a smaller scale. The Internet gives the criminal enterprise global reach and the whole world to hide in.

The Internet also gives the criminal a new capability: the ability to spy on the activities of people who are not in their immediate vicinity by taking control of their computer.

Of Bots and Botnets

Traditional criminals use stolen cars as getaway vehicles. Cyber criminals cover their tracks using stolen machines but do one better—the real owner continues to pay for gas.

Many Internet users believe that they are not at risk from Internet crime because they have nothing of value on their computer. But the computer itself has a value to the Internet criminal. The thief can steal the use of the machine without taking the physical machine, but the owner continues to provide the necessary space, power, and network connectivity.

In hacker jargon, there are many names for a machine that has been taken over. News reports often use the terms bot or zombie; within the field, the term owned machine is sometimes used.

Control of one bot gives the criminal a getaway vehicle. Running an Internet crime from your own house using the network connection you (or your parents) pay for is risky. Channeling communications through a bot allows the Internet criminal to lay a false trail.

The sophisticated criminal hides his activities through a constantly changing series of machines carefully chosen so that the trail passes through as many jurisdictions as possible.

Bots are also used to perform the crime itself. A bot can be used to attack other machines, to send spam, and to create other bots, forming a botnet. The more bots an Internet criminal controls, the more crime he can perform. Most worrying of all, perhaps, a bot can spy on the owner of the machine and watch as he logs in to his online bank or enters his credit card number.

Some years ago, taking over (cracking) machines was a bespoke industry. The attacker would select a machine and work on ways to break into it until something worked or he decided to give up and move to another target. Today it is easy to obtain hacking tools that probe thousands of machines at a time.

Botnet management has become a commodity, a low-skill, low-return Internet crime. Skilled professional criminals often prefer to "rent" the use of bots. A bot is priced on the black market according to the utility to the criminal: the speed of the Internet connection, the speed of the processor, and whether the network management is likely to shut it down quickly.

An attacker can gain control of a machine in much the same way that an army can capture a walled city: by direct assault or by subterfuge.

A direct assault requires the attacker to find an exploitable vulnerability in the defenses of the machine. Computers have no common sense; they just follow instructions. If a program is written properly, the only instructions that the computer will execute are the ones the programmer writes. If a program has a specific type of programming error, the computer might end up executing instructions that an attacker supplies.

A direct assault is unlikely to compromise a "securely" configured machine with every nonessential service turned off and every security fix installed. With a billion users and a billion-plus machines, there will never be a shortage of vulnerable targets.

Every machine that is connected to a network and has some form of processing capacity is a potential point of compromise: every router, every wireless gateway, every cable modem, every printer.

The vandals competed to crack the machine in the most ingenious ways they could. The professional Internet criminal is only interested in results and accordingly attacks the system at its weakest link: the user. Why bother working out how to bypass the computer defenses when the user can run any program you want? All you need to do is to persuade him to run it.

A program that has a hidden malicious purpose is called a Trojan after the Trojan horse of Greek legend. Mistaking the horse for a parting gift, the Trojans wheeled it into their city and left it unguarded while they went off for a feast. During the celebrations, the soldiers hidden inside the horse quietly slipped out and opened the city gates to let the waiting Greek army through.

Computer Trojans work in the same way. The user thinks that he is doing something harmless while the Trojan takes over his machine.

Five years ago, a Trojan attack could be neatly classified as a virus, worm, or spyware. But the changing tactics of the criminals have rendered the distinction obsolete. The terms malware and even crimeware have been introduced in an attempt to keep pace.

A true computer "virus" spreads from one infected machine to another as a biological virus does. Today the analogy is obsolete. Instead of waiting for their creations to spread gradually from one machine to another, the criminals pump out Trojan-bearing e-mails from a botnet.

Equally obsolete are the tools based on the assumption that the criminals will continue to respect these distinctions.

By the time the "virus" has been detected and analyzed, and "antivirus" signatures have been distributed, the attack will already have reached tens or hundreds of millions of machines, and the attacker will be busy creating his next attack.

When spyware first began to appear as a significant concern for computer owners, it was mostly ignored by the suppliers of "antivirus" software. It took a new group of vendors offering antispyware solutions for the antivirus vendors to realize that their customers expected to be protected from all forms of harm regardless of cause.

Spam

In the words of FTC Commissioner Orin Swindle,1 "Spam is killing the killer application of the Internet." But spam is no longer merely a nuisance that threatens to make e-mail unusable; spam is one of the primary vehicles for Internet crime. Virtually every Internet crime involves spam at some point, and most spam is sent to further a criminal end.

Spam frauds range from simple consumer frauds such as peddling quack medicines and bogus get-rich quick schemes to sophisticated confidence tricks. The vast majority of spam products are fake, stolen, or nonexistent. Spam is cheap, difficult to track, and provides access to a billion potential victims.

Stopping spam is widely considered to be an intractable technical problem. That's true: The cause of spam is social, not technical. Spam can, however, be controlled and to a large extent "solved" by a social solution, and technical measures can be designed to support that social solution.

There is no "technical solution" for graffiti either. The problem of graffiti has existed for thousands of years, as the remains of Pompeii attest. But as New York City Transit Police Chief William J. Bratton demonstrated, control of graffiti is entirely practical given the necessary determination and resources. Bratton's "policy" of erasing the work of vandals within 24 hours of its being created coupled with a zero-tolerance policy toward fare-dodging and other types of vandalism had a noticeable effect. Technical measures such as graffiti-resistant paint are not by themselves a solution, but the right technical measures can make a social solution possible or more effective.

The problem of spam is caused by the lack of accountability in the e-mail system. The social solution to the spam problem is to establish accountability. How this is done is the topic of later chapters.

Like graffiti, the problem of spam was largely ignored as a nuisance until people decided that the problem mattered. Users who complained that their electronic Inbox was full of junk were told not to worry about such a trivial matter; just don't respond to it.

The catalyst for the New York subway graffiti crackdown was the "broken windows" theory2 that tolerance of minor crimes creates an environment perceived to be permissive of crime that leads to major crimes.

Whether the broken windows theory is true and whether the zero-tolerance policy is the main cause of the reduction in crime is open to debate. Social change almost never has a single cause. If we wait for absolute certainty before we act, we can be certain of only one thing: Our actions will come too late.

Internet Crime Markets

The term organized crime suggests a single group of criminals organized in much the same way as a business. Al Capone and his fellow bootleggers organized their criminal enterprises using the principles of modern business management then being developed by Alfred Sloan and others. Professional Internet criminals continue the tradition, applying the organizational principles of the "virtual corporation" long before the legitimate businesses of the day have fully realized them. A free-market approach is pursued in which individual criminals or groups of criminals specialize in particular tasks, selling their services to others or buying services that they need.

Stolen credit card numbers are traded in numerous criminal venues that are exchanged in chat rooms or offered for sale on bulletin boards. In some cases, the sellers even have Web sites offering their product. Figure 1-1 shows a Web site offering stolen credit cards (referred to as dumps) priced according to the card issuer, the region the card was issued, the credit limit, and so on.

Figure 1-1

Figure 1-1 Online trading site for stolen credit card numbers, or dumps

Criminals with technical expertise sell information and tools to the less expert criminals who do the actual dirty work. Like traditional arms merchants, these experts occupy a gray area of dubious legality. Some of the tools they sell might have legitimate purposes as well as criminal ones. A security scanner, for example, is used to detect the vulnerabilities in a system, but this can be done by a legitimate "white hat" hacker to identify a system needing attention or by a criminal "black hat" hacker looking for a vulnerability to exploit.

To make the situation even more murky; there is more than anecdotal evidence to suggest that some play both sides of the fence. The Internet security world is like a John le Carré spy novel; it is difficult to know the good guys from the bad.

Fortunately, the system works both ways: The bad guys cannot know which of their associates might turn out to be a police plant. This has allowed law enforcement to deal effectively with certain Internet crimes, such as attempts to establish online pedophile rings. A pedophile can never be sure whether the other person in the Internet chat room is really the 12-year-old child he thinks or an undercover police officer.

Figure 1-2 shows a Russian Web site (since closed) that provided online forums for various forms of Internet crime, including carding—the use of stolen credit cards. The banner on the site logo reads, "Carders of all lands unite." The picture is of Lenin, but the quotation is adapted from Karl Marx's closing lines to the Communist manifesto. The choice is somewhat unfortunate from the carders' perspective because the original quotation continues, "You have nothing to lose but your chains." Anyone who wants to avoid chains would be better advised to steer clear of carding rings, as the U.S. Secret Service and Department of Justice demonstrated in Operation Firewall, a multinational investigation of the Shadowcrew carding organization, which resulted in 28 arrests, including seven in foreign countries. The Shadowcrew Web site was taken over by the U.S. Secret Service, who used it to send a message to the carding rings (see Figure 1-3).

Figure 1-2

Figure 1-2 Russian site offering advice on carding crime

Figure 1-3

Figure 1-3 The Shadowcrew Web site after Operation Firewall

The Internet allows criminals to communicate secretly and anonymously with others of their kind. Payment for services rendered might be made by wire transfer or courier service envelopes stuffed with up to $20,000 in used bills or through more anonymous means such as a gift card bought with cash or an anonymous Internet currency such as e-Gold.

Although it would take an entire book to describe every detail and development of every Internet crime, most are variations of the same basic schemes, which in turn are adaptations of much older schemes. The crime is old; only the context is new.

The existence of Internet crime markets is probably the single most important factor behind the recent explosion in Internet crime. Making money from stolen credit cards is a complex undertaking requiring a lot of different skills and knowledge. To perform every step in the process himself, a criminal must be a computer operating systems expert, a computer networking expert, a confidence trickster, a money launderer, and a handler of stolen property (fence).

The crime markets allow the criminal who has only one skill to make money, and the would-be criminal with no skill to quickly learn one. It is not in a criminal's interests to teach his own special expertise; it reduces the value. But teaching another criminal's expertise lowers the cost.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020