Sizing Up Cybercrime

How cybercriminals are changing the way they target IT assets

by Dean Turner

With just a few simple clicks of a mouse, today’s ruthless cybercriminals can turn anything from stolen bank account information to e-mail cookies into monstrous profits. With such an elaborate and sophisticated underground fraud economy, cybercriminals are seeing nothing but dollar signs.

A credit card from a United States-based bank goes for between US$1 and US$6, while someone’s complete identity—including Social Security number, bank account information, credit card data, mother’s maiden name, and date of birth—can be purchased for the bargain price of just US$14 to US$18. This constantly-evolving market allows criminals to buy, sell, and trade valuable information in a digital world of decidedly proficient crime rings that often run not only underground servers but also botnets.

The competition is fierce—this thriving digital ecosystem is bubbling with activity as cybercriminals produce progressively more sophisticated methods to steal any information that can turn a profit. The United States has become a playground for cybercriminals in terms of targeting a larger group of victims and as a haven for conducting their criminal activities. For example, a majority of the underground servers monitered by Symantec were located in the United States. Cybercriminals utilize these servers to market stolen information, typically for subsequent use in identity theft. According to Symantec’s most recent report, 51 percent of the underground economy servers throughout the world that Symantec observed during the last half of 2006 were in the United States.

This comes as no surprise to Internet watchers, since the United States has a larger Internet infrastructure and more broadband use than any other country in the world—two key factors in creating such a wealth of opportunities for criminals to accomplish their malicious crimes. In fact, the United States accounts for 19 percent of the world’s Internet users and, as of June 2006, it had more than 57 million broadband Internet users.

While the number of bot-infected computers increased by 29 percent, the number of worldwide command-and-control servers decreased by 25 percent because bot network owners are consolidating their networks, and enhancing the magnitude of their existing networks. To that end, bot owners instigate denial of service attacks and drive competing networks out of business, or they steal their competitors’ stolen bot computers and, in turn, expand their own botnet franchises.

It takes a lot of stolen identities to make someone wealthy—that’s why today’s cybercriminals cast such big nets. However, not all stolen information is created equal. U.S. credit cards are typically advertised for about half as much as those from the United Kingdom. This could simply be because of supply-and-demand—a greater number of cards from the United States are available for sale—or it could be an issue of currency, because the United Kingdom’s pound is currently stronger than the dollar.

Then again, a list of 29,000 e-mails will net a cybercriminal just US$5, but a verified PayPal account with a balance can bring in as much as US$500.

How do these cybercriminals acquire all this information in the first place? They use phishing attacks, keystroke loggers, Trojan horses, worms, spam, spyware, as well as new and noxious combinations of all such malware—anything that will enable them to compromise systems and steal valuable information.

Cybercriminals also exploit more zero-day vulnerabilities—software flaws for which a patch has not yet been released. Twelve zero-day vulnerabilities were recorded during the last half of 2006 compared to just one found in the previous two reporting periods. This is just one example of how these criminals get their stock of private information.

Additionally, five of the 12 zero-day vulnerabilities released in the second half of last year targeted Microsoft Office. Why? Because PowerPoint presentations, Word documents, Excel spreadsheets, and similar files are rarely blocked by security software and nearly always opened by their recipients.

Undoubtedly, cybercrime has become a genuine concern, particularly for those in the United States. In the wake of this digital crime wave, individuals will either take the necessary security measures to combat this flourishing digital economy or fall victim to malicious cybercriminals. Consumers, businesses, academic institutions, and even government agencies must protect their digital assets, make digital defense a higher priority, and take back their cyberturf.

- - -

Dean Turner is senior manager, Symantec Security Response, where he serves as Executive Editor of the Internet Security Threat Report. In addition to being a co-author, Turner coordinates the research and analysis of attack data gathered from Symantec's DeepSight Threat Management System, Managed Security Services, Business Intelligence Services, and Symantec Antivirus Research Automation for use in the publication of the ISTR.