2.8 Cyber Crime

As ebusiness has grown in scope and sophistication, so has cyber crime. Few systems are so secure that criminal or negligent activity by IT staff is impossible, and a balance has be found between security needs and practicality. Nonetheless, cyber crime would be greatly reduced if simple security routines were adopted and kept under proper supervision.

Statistics

Cyber crime is widespread and serious. {1} Some 73% of Americans have suffered some form of cyber crime (against 65% globally, the worst being Brazil at 83%). Some 66% of hackers are American, 10.5 % are British and 7.5% are Nigerian. The average cost per fraud claim is $233 for debit/credit card fraud, $610 for auction fraud, $800 for non-delivery/payment of/for merchandise and $1,600 for Nigerian letter fraud. The most basic security measures would reduce these figures, but it appears that 83% of people do not use a separate email address when purchasing online, 69% of people do not back up regularly, 62% of people do use strong passwords or change them regularly, and 60% do not use a browser search adviser.

Commercial figures are notoriously unreliable because companies are reluctant to alarm customers by reporting problems, but a breakdown by the Computer Security Institute in 2009 was {2}:

Attacks Against Computer Systems	Prevalence		Type	Prevalence
Virus	50%		Abuse of wireless network	14%
Insider abuse	44%		System penetration	13%
Laptop theft	42%		Financial fraud	12%
Unauthorized access	29%		Web application misuse	11%
IM misuse	21%		Password sniffing	9%
Denial of service	21%		Proprietary information loss/theft	9%
Bots	20%		DNS attacks	8%
Customer data theft	17%		Website defacement	6%

Information is typically sold on, often to the many thousands of underground sites which offer the following to accredited criminals {3}:

Rank for Sale	Category	Percentage for Sale	Range of Prices
1	Bank account credentials	18%	$10-1,000
2	Credit cards with CVV2 numbers	16%	$0.50-$12
3	Credit cards	13%	$0.10-$25
4	Email addresses	6%	$0.30/MB -$40/MB
5	Email passwords	6%	$4-$30
6	Full identities	5%	$0.90-$25
7	Cash-out services	5%	8% -50% of total value
8	Proxies	4%	$0.30-$20
9	Scams	3%	$2.50-$100/week for hosting: $5-$20 for design
10	Mailers	3%	$1-$25

Cyber crime and abuse comes in many shapes:

Malicious Code

Malicious code or malware are threats to computers and their security posed by spyware, viruses, worms, trojan horses and bots. They are very widespread: Microsoft found that its security products had identified nearly 95 million unique malicious files in the second half of 2008 alone.

Viruses

Viruses are small computer programs that can replicate themselves and spread to other computers. Some are relatively benign, simply displaying a message, but others are malign indeed, causing programs to run incorrectly, files to be destroyed and hard disks reformated. Viruses are commonly classified as:

1. Macro: infect only the specific programs for which they were written.
2. File-infecting: infect executable files such as .exe and .dll files.
3. Script: written in scripting languages like Perl or VBScript.

Worms

Instead of infecting a relatively small number of files, worms infect whole computers rapidly. The Slammer worm, which targeted a known vulnerability in Microsoft's SQL Server database software infected over 90% of Internet-connected computers within ten minutes of its release on the Internet, disabling supermarket cash registers and Bank of America cash tills.

Trojans

Trojans are malware masquerading as something the user may want to use or install that then perform unexpected actions, typically allowing backdoor access to the computer Bots. Short for robots, Bots are malicious programs covertly installed on computers attached to the Internet. Unknown to their owners, these computers can then be controlled by third parties. Collections of these computers (botnets) are commonly used for denial of service attacks. Semantec identified an average of 75,000 active bot-infected computers per day in 2008, an increase of 31% on the previous year.

Unwanted Code

Generally benign, but unwanted is the host of adware that companies surreptitiously install on visitors to their sites, enabling them to monitor potential customer behavior and sometimes to redirect them to send to sites of their choice (browser parasites). Spyware is more dangerous, as it can record and send to third parties the keystrokes constituting passwords or confidential data.

Phishing and Identity Theft

Phishing is the illegal, online attempt to obtain confidential information for financial gain. One popular example is the 'Nigerian letter email scam', which typically asks for a partner's banks details, purportedly for the account to receive large sums of money, though of course to be looted. Another is the seemingly valid PayPal request that account details be re-entered: the request emanates not from PayPal but a rogue site purporting to be PayPal. Once details are given, the real PayPal account is again emptied.

Credit Card Theft/Fraud

Credit card fraud is less widespread than supposed, but occurs most often when credit card information is stolen from corporate data stores. One of the most serious was the 2003 looting of 47.5 million debit and credit card details from TJX Companies, the owners of 2,500 US retail stores. The theft was not discovered until 2006, and not reported until 2007, by which time the information had been sold on to underground sites and so to criminal elements, who made hundreds of thousands of illegal purchases. {6}

Spoofing

Spoofing involves masquerading as someone else. Hackers commonly cloak their identity with fake email addresses or websites (the latter also called 'pharming'). Fake or spam blogs ('splogs') are set up solely to improve the search engine rank of associated sites. More serious are sites appearing to be the official website of a company, but which in fact are copies, stealing the legitimate business, or taking the money but not delivering.

Denial of Service

Denial of service attacks overwhelm a server by thousands or millions of page requests that come from bot-infected computers around the world. When these computers are widely distributed, the ensuing shutdown is termed a distributed denial of service, and can result in serious losses. Many major companies have suffered such attacks, requiring them to take expensive preventive measures and extend their back-up services.

Sniffing

A sniffer is an eavesdropping program that is used legally by government surveillance agencies and by telecom companies to identify network bottlenecks, but by criminal elements to obtain proprietary information. Email wiretaps are small programs hidden in an email message that allows subsequent messages forwarded with the original to be monitored. Under the US Patriot Act, the FBI can compel ISP to install such software on their servers simply by certifying to the secret Foreign Intelligence Surveillance Court (FISC) that the information sought is relevant to an 'ongoing criminal investigation'.

Insider Abuse

Many, perhaps most, security breaches occur through negligence, poor procedures and in some cases the criminal activities of a company's own employees. Some 44% of companies surveyed in the 2009 Computer Security Institute study believed that insider abuse had been responsible for financial losses in the previous year. {2} Much goes unreported, or even undetected.

System Failures

Design flaws in server and client software provide points of weakness which hackers and criminals periodically exploit. All operating systems and browsers unfortunately possess such flaws, which are continually being plugged by 'patches' or updated versions. In a single week in August 2009, the US Computer Emergency Readiness Team (US-CERT) discovered no less than 153 vulnerabilities in server and application software, 69 of them rated as 'high severity'.{2}

Questions

1. How serious in cyber crime? Give some statistics.
2. How is illegally obtained information sold on?
3. Describe five types of malicious code. What practical measures should be implemented?
4. What other security threats do online businesses face?
5. Companies do a good job in updating their software to eliminate code weaknesses. Discuss.

Sources and Further Reading

1. Cyber Crime Statistics. US College Search. March 2011. Selected statistics: original sources illegible.
2. Computer Security Institute 2009 data, quoted in Ecommerce 2010 by Kenneth C. Laudon and Carol Guercio Traver. Pearson. 2010. Section 5.
3. Symantec Report on the Underground Economy June 07-June 08. Symantec November 2008. Provides details on the organized nature of cyber crime.
4. CyberWarZone. Short articles on many aspects of cybercrime and computer attack.
5. Canadian probe finds TJX Breach followed wireless hack by J. Vijaya. Computer World September 2007.
6. Cybercrime and Hacking Topic Center. Computer World. Continually updated articles.
7. Cybercrime. Financial Times. Free access to up to 10 articles for 30 days.
8. Cyber Crime. FBI. Stories, advice and initiatives to combat crime.
9. Computer Crime. UK Parliamentary Office of Science and Technology. October 2006. A concise summary of types of attack, legislation applying and relevant law-enforcementsocieties.
10. A Small Business is Big Business in Crime. TrendLabs. 2011. Promotional paper, but with useful statistics.