The Motives of Internet Criminals: Why They Want Our Money
Have you ever seen a bank robbery? Before the Web, the chance that you would have seen an actual bank robbery was quite small. Today, though, if you have e-mail, it is almost certain that you have been targeted by bank robbers.
By the last count, I receive more than 2,500 criminal e-mails a day. These criminals want my money; they want your money. How are we going to stop them?
The first step toward finding an answer is to understand how the crimes work. Knowing how Internet crimes work will do little to reduce the number of victims: it will only take a little longer for the criminals to find them. It is, however, the best way to make sure you do not become the victim.
Internet crime is real. It's organized. Internet criminals have stolen hundreds of millions of dollars and caused billions of dollars' worth of damage. The number of attacks and their sophistication is on the rise, and this trend is expected to continue for the next several years.
In the early years of the Web, Internet crime was mostly the actions of teenage vandals looking for a way to pass time. Attempting to make money from hacking was considered too risky, too likely to attract the attention of the authorities. Today it's all about the money.
One consequence of this change is that Internet crime has become much easier to predict. Only the most obsessive vandal would attempt the same crime in the same way, again and again for long enough for investigators to build a profile. The professional criminal does not become bored so easily and will keep doing what he is doing until the act no longer makes money or he is caught.
The Internet criminal changes his tactics frequently. The techniques that Internet criminals used to perform bank fraud three years ago simply do not work today. The techniques they are using today are not likely to be as profitable or as safe in three years' time. But the goal of the professional Internet criminal remains the same—to take money from other people—and so do the three basic strategies that he uses to achieve this goal: extortion, impersonation, and persuasion.
- Extortion—Criminals have operated extortion rackets for millennia. The Internet is a major engine of the global economy. Many companies cannot carry out their business when their Web site is down. A criminal who can make a site unreachable may find businesses willing to pay for protection.
- Impersonation—The money that the criminals are after is mostly stored in banks. Taking the money from the bank directly is far beyond the capabilities of most Internet criminals. Instead, they attack the system at its weakest link: the customer. The customer has access to his bank account through the Web. All the attacker needs to do is to cause the customer to divulge his account name and password.
- Persuasion—The most pervasive type of Internet crime is the confidence trick. The larger the pool of potential victims that the attacker can reach, the less credible the story needs to be. The Internet allows a criminal to reach an audience of more than a billion.
Internet crime is a mile wide and an inch deep. What appears at first glance to be something new invariably turns out to be a new way to perform an old scam.
The Tools of the Trade
The tools of the Internet criminal are chosen for effectiveness rather than sophistication. The Internet allows the criminal to contact a vast audience of potential victims, to communicate in ways that are difficult to trace, and to collaborate with other criminals. Criminals have always done such things but on a smaller scale. The Internet gives the criminal enterprise global reach and the whole world to hide in.
The Internet also gives the criminal a new capability: the ability to spy on the activities of people who are not in their immediate vicinity by taking control of their computer.
Of Bots and Botnets
Traditional criminals use stolen cars as getaway vehicles. Cyber criminals cover their tracks using stolen machines but do one better—the real owner continues to pay for gas.
Many Internet users believe that they are not at risk from Internet crime because they have nothing of value on their computer. But the computer itself has a value to the Internet criminal. The thief can steal the use of the machine without taking the physical machine, but the owner continues to provide the necessary space, power, and network connectivity.
In hacker jargon, there are many names for a machine that has been taken over. News reports often use the terms bot or zombie; within the field, the term owned machine is sometimes used.
Control of one bot gives the criminal a getaway vehicle. Running an Internet crime from your own house using the network connection you (or your parents) pay for is risky. Channeling communications through a bot allows the Internet criminal to lay a false trail.
The sophisticated criminal hides his activities through a constantly changing series of machines carefully chosen so that the trail passes through as many jurisdictions as possible.
Bots are also used to perform the crime itself. A bot can be used to attack other machines, to send spam, and to create other bots, forming a botnet. The more bots an Internet criminal controls, the more crime he can perform. Most worrying of all, perhaps, a bot can spy on the owner of the machine and watch as he logs in to his online bank or enters his credit card number.
Some years ago, taking over (cracking) machines was a bespoke industry. The attacker would select a machine and work on ways to break into it until something worked or he decided to give up and move to another target. Today it is easy to obtain hacking tools that probe thousands of machines at a time.
Botnet management has become a commodity, a low-skill, low-return Internet crime. Skilled professional criminals often prefer to "rent" the use of bots. A bot is priced on the black market according to the utility to the criminal: the speed of the Internet connection, the speed of the processor, and whether the network management is likely to shut it down quickly.
An attacker can gain control of a machine in much the same way that an army can capture a walled city: by direct assault or by subterfuge.
A direct assault requires the attacker to find an exploitable vulnerability in the defenses of the machine. Computers have no common sense; they just follow instructions. If a program is written properly, the only instructions that the computer will execute are the ones the programmer writes. If a program has a specific type of programming error, the computer might end up executing instructions that an attacker supplies.
A direct assault is unlikely to compromise a "securely" configured machine with every nonessential service turned off and every security fix installed. With a billion users and a billion-plus machines, there will never be a shortage of vulnerable targets.
Every machine that is connected to a network and has some form of processing capacity is a potential point of compromise: every router, every wireless gateway, every cable modem, every printer.
The vandals competed to crack the machine in the most ingenious ways they could. The professional Internet criminal is only interested in results and accordingly attacks the system at its weakest link: the user. Why bother working out how to bypass the computer defenses when the user can run any program you want? All you need to do is to persuade him to run it.
A program that has a hidden malicious purpose is called a Trojan after the Trojan horse of Greek legend. Mistaking the horse for a parting gift, the Trojans wheeled it into their city and left it unguarded while they went off for a feast. During the celebrations, the soldiers hidden inside the horse quietly slipped out and opened the city gates to let the waiting Greek army through.
Computer Trojans work in the same way. The user thinks that he is doing something harmless while the Trojan takes over his machine.
Five years ago, a Trojan attack could be neatly classified as a virus, worm, or spyware. But the changing tactics of the criminals have rendered the distinction obsolete. The terms malware and even crimeware have been introduced in an attempt to keep pace.
A true computer "virus" spreads from one infected machine to another as a biological virus does. Today the analogy is obsolete. Instead of waiting for their creations to spread gradually from one machine to another, the criminals pump out Trojan-bearing e-mails from a botnet.
Equally obsolete are the tools based on the assumption that the criminals will continue to respect these distinctions.
By the time the "virus" has been detected and analyzed, and "antivirus" signatures have been distributed, the attack will already have reached tens or hundreds of millions of machines, and the attacker will be busy creating his next attack.
When spyware first began to appear as a significant concern for computer owners, it was mostly ignored by the suppliers of "antivirus" software. It took a new group of vendors offering antispyware solutions for the antivirus vendors to realize that their customers expected to be protected from all forms of harm regardless of cause.
In the words of FTC Commissioner Orin Swindle,1 "Spam is killing the killer application of the Internet." But spam is no longer merely a nuisance that threatens to make e-mail unusable; spam is one of the primary vehicles for Internet crime. Virtually every Internet crime involves spam at some point, and most spam is sent to further a criminal end.
Spam frauds range from simple consumer frauds such as peddling quack medicines and bogus get-rich quick schemes to sophisticated confidence tricks. The vast majority of spam products are fake, stolen, or nonexistent. Spam is cheap, difficult to track, and provides access to a billion potential victims.
Stopping spam is widely considered to be an intractable technical problem. That's true: The cause of spam is social, not technical. Spam can, however, be controlled and to a large extent "solved" by a social solution, and technical measures can be designed to support that social solution.
There is no "technical solution" for graffiti either. The problem of graffiti has existed for thousands of years, as the remains of Pompeii attest. But as New York City Transit Police Chief William J. Bratton demonstrated, control of graffiti is entirely practical given the necessary determination and resources. Bratton's "policy" of erasing the work of vandals within 24 hours of its being created coupled with a zero-tolerance policy toward fare-dodging and other types of vandalism had a noticeable effect. Technical measures such as graffiti-resistant paint are not by themselves a solution, but the right technical measures can make a social solution possible or more effective.
The problem of spam is caused by the lack of accountability in the e-mail system. The social solution to the spam problem is to establish accountability. How this is done is the topic of later chapters.
Like graffiti, the problem of spam was largely ignored as a nuisance until people decided that the problem mattered. Users who complained that their electronic Inbox was full of junk were told not to worry about such a trivial matter; just don't respond to it.
The catalyst for the New York subway graffiti crackdown was the "broken windows" theory2 that tolerance of minor crimes creates an environment perceived to be permissive of crime that leads to major crimes.
Whether the broken windows theory is true and whether the zero-tolerance policy is the main cause of the reduction in crime is open to debate. Social change almost never has a single cause. If we wait for absolute certainty before we act, we can be certain of only one thing: Our actions will come too late.
Internet Crime Markets
The term organized crime suggests a single group of criminals organized in much the same way as a business. Al Capone and his fellow bootleggers organized their criminal enterprises using the principles of modern business management then being developed by Alfred Sloan and others. Professional Internet criminals continue the tradition, applying the organizational principles of the "virtual corporation" long before the legitimate businesses of the day have fully realized them. A free-market approach is pursued in which individual criminals or groups of criminals specialize in particular tasks, selling their services to others or buying services that they need.
Stolen credit card numbers are traded in numerous criminal venues that are exchanged in chat rooms or offered for sale on bulletin boards. In some cases, the sellers even have Web sites offering their product. Figure 1-1 shows a Web site offering stolen credit cards (referred to as dumps) priced according to the card issuer, the region the card was issued, the credit limit, and so on.
Figure 1-1 Online trading site for stolen credit card numbers, or dumps
Criminals with technical expertise sell information and tools to the less expert criminals who do the actual dirty work. Like traditional arms merchants, these experts occupy a gray area of dubious legality. Some of the tools they sell might have legitimate purposes as well as criminal ones. A security scanner, for example, is used to detect the vulnerabilities in a system, but this can be done by a legitimate "white hat" hacker to identify a system needing attention or by a criminal "black hat" hacker looking for a vulnerability to exploit.
To make the situation even more murky; there is more than anecdotal evidence to suggest that some play both sides of the fence. The Internet security world is like a John le Carré spy novel; it is difficult to know the good guys from the bad.
Fortunately, the system works both ways: The bad guys cannot know which of their associates might turn out to be a police plant. This has allowed law enforcement to deal effectively with certain Internet crimes, such as attempts to establish online pedophile rings. A pedophile can never be sure whether the other person in the Internet chat room is really the 12-year-old child he thinks or an undercover police officer.
Figure 1-2 shows a Russian Web site (since closed) that provided online forums for various forms of Internet crime, including carding—the use of stolen credit cards. The banner on the site logo reads, "Carders of all lands unite." The picture is of Lenin, but the quotation is adapted from Karl Marx's closing lines to the Communist manifesto. The choice is somewhat unfortunate from the carders' perspective because the original quotation continues, "You have nothing to lose but your chains." Anyone who wants to avoid chains would be better advised to steer clear of carding rings, as the U.S. Secret Service and Department of Justice demonstrated in Operation Firewall, a multinational investigation of the Shadowcrew carding organization, which resulted in 28 arrests, including seven in foreign countries. The Shadowcrew Web site was taken over by the U.S. Secret Service, who used it to send a message to the carding rings (see Figure 1-3).
Figure 1-2 Russian site offering advice on carding crime
Figure 1-3 The Shadowcrew Web site after Operation Firewall
The Internet allows criminals to communicate secretly and anonymously with others of their kind. Payment for services rendered might be made by wire transfer or courier service envelopes stuffed with up to $20,000 in used bills or through more anonymous means such as a gift card bought with cash or an anonymous Internet currency such as e-Gold.
Although it would take an entire book to describe every detail and development of every Internet crime, most are variations of the same basic schemes, which in turn are adaptations of much older schemes. The crime is old; only the context is new.
The existence of Internet crime markets is probably the single most important factor behind the recent explosion in Internet crime. Making money from stolen credit cards is a complex undertaking requiring a lot of different skills and knowledge. To perform every step in the process himself, a criminal must be a computer operating systems expert, a computer networking expert, a confidence trickster, a money launderer, and a handler of stolen property (fence).
The crime markets allow the criminal who has only one skill to make money, and the would-be criminal with no skill to quickly learn one. It is not in a criminal's interests to teach his own special expertise; it reduces the value. But teaching another criminal's expertise lowers the cost.