2007: A banner year for online crime

As 2007 comes to a close it's natural for us to look back and analyze the year past so as to prepare for the year ahead. One particular thread that stands out is the incredible growth of cyber crime.

In October I wrote about the rise of the storm worm, and while it has since diminished in size, it continues to evolve and remain active, symbolic of the explosion of malware (software with malicious intent) that has fuelled the greatest boom in internet crime seen to date. In fact, beginning Christmas Eve, the storm worm began sending out messages enticing people to visit a site called merrychristmasdude.com, at which point their computers will be infected and taken over by the worm.

The security company F-Secure has been studying and cataloging malware for more than two decades, and in 2007 it added 250,000 new entries to its index, which was more than all previous years combined. This malware is almost entirely built for criminal purposes, whether for fraud, identity theft, data mining, or serving out spam.

Increasing sophistication

The organization of all this criminal activity manifests in the form of bot nets (see sidebar) such as the storm worm, networks of hijacked machines that allow criminals to engage in their activities without being traced or identified. The sophistication of these bot nets has increased so rapidly that many observers have begun speculating that we're witnessing the early stages of a new online arms race, a cyber cold-war in which new weapons and tactics are being developed and tested.

Botnets

A botnet, or robot network, is a group of web-linked computers — sometimes called zombies — that have been commandeered, in some instances by criminals, to perpetrate all kinds of online nastiness. Typically a bot is installed on a machine through a trojan, an insidious program that can find its way into an insufficiently protected computer in a variety of ways, such as when a user clicks on a link to an infected web page or e-mail message, views an infected document or runs an infected program. Once the bot has made itself at home, it opens the doors of its new host computer to its master, who can instruct the machine to engage in various activities such as sending out spam and phishing e-mails, or launching the distributed denial of service or DDOS attacks like the kind that almost brought down the internet. In some cases, these nasty little robots can steal personal data and return it to a central site to be used for identity theft purposes.

For example, in May, Estonia's internet infrastructure was attacked and forced off-line for several days. In November, the British security service MI5 contacted 300 major corporations to inform them about successful attacks made by hackers employed by the Chinese government. The New York Times recently reported that the U.S. Department of Homeland Security had pointed the finger at Chinese hackers as being responsible for an intrusion into the computer network of the nuclear weapons research facility at Oak Ridge National Laboratory in Tennessee.

There were also massive security breaches and exposures of consumer data in 2007. Approximately 100 million consumers were affected by the computer break-in at TJX, which occurred over a period of several years but was only disclosed in 2007. Monster.com was hacked and 1.3 million users had their personal information stolen. In November, the U.K. government's Revenue and Customs Department disclosed it had lost two discs containing the personal information of 25 million British citizens.

While the last example apparently was due to a mistake rather than a criminal attack, it highlights a year in which computer security and privacy were under constant pressure.

Social networks like Facebook are responsible for some of the momentum behind the rapid loss of privacy. However, the real difference lies in the evolving methods being employed by criminals online, and the way in which they combine sophisticated technology with clever language and techniques to get people to click on links and visit sites that will compromise their computers.

The methods of attack are diverse, but what most have in common is the focus on attempting to trick the user into taking action. That could include installing software, opening an e-mail attachment, visiting a website, opening a video or image, even calling a phone number to speak to an experienced con artist. Whether pharming, phishing, or fraudulent bank e-mails, the purpose is to fool you into a false sense of security so you can either voluntarily give up personal information or allow access to your computer so someone else can steal it — or spy on you to steal it later.

Cybercrime a growing franchise

One of the main reasons we're seeing such creativity combined with advanced technology is the way in which the online criminal industries have embraced the franchise model of doing business. No longer do you need technical skills to get in at the ground level of online crime; now for a reasonable price you can buy software, services and support to help you build your own army of hijacked computers.

These cyber crime kits, such as Mpack and IcePack in particular, are not only available to buy — free versions are also circulating widely. The difference, however, is that the free versions have an added back door that allows the authors to monitor and control their franchises.

The most visible impact of all this criminal activity is spam. The security research firm Barracuda Networks recently released a study that claimed 90 to 95 per cent of all e-mail in 2007 was spam. The majority of these messages employed identity obfuscation techniques — i.e., they appear as if they're from your friends, contacts or trusted institutions, and their subject lines are relevant to your personal life. The ones I've been receiving lately, for example, have to do with last-minute gift shopping and New Year or holiday greetings.

Looking ahead

So what's in store for the new year other than even more spam?

The explosion in the popularity of social network sites like Facebook will continue to attract criminals looking to harvest identify information and target potential victims. Blogs have already been under attack by spam bots and are starting to be used in infection schemes in which malicious code is installed on a target computer via an infected widget or software add-on. A similar exploit can be used via the Facebook application platform or Google's Open Social initiative.

All of these attacks assume inevitable detection, but they only require a few hours or a few days of activity to be effective.

Mobile devices (the iPhone in particular) will be attractive targets in 2008 as they become smarter and more powerful. They are always connected to the internet, so they present a perfect opportunity for criminals wanting access to our information and money. As the Royal Bank here in Canada tests technology that turns cellphones into electronic wallets, you can also expect there are efforts underway by criminals to learn how to access them illegally.

The thing to keep in mind is that the success of cyber criminals lies not so much in their ability to break into computers or compromise technology, but in their understanding of how people use technology every day. They are using the habits and behaviour of people to gain access to their information. Social engineering is the core trait of the hacker, and appropriated by the cyber criminal, it has now become a profitable means of doing business online.

Yet profit is not the only motive for those with the power to mobilize armies of zombie computers and deceive the internet masses.

The general consensus among security research companies focusing on the year ahead is that in addition to continued growth, the technology and tactics demonstrated in this online criminal economy will be applied to the 2008 U.S. presidential election. More on that in my next article.

Jesse Hirsh is based in Toronto and can be contacted via jessehirsh.com