Why IT Security Must Combat Organized Cybercrime

The bad guys are targeting consumers, but enterprises still pay

Ditch the Hollywood stereotypes. These guys don’t wear wide ties or spats, have flattened noses, or speak with strange accents. Nor do they have a fictional HBO series. They do, however, have highly-specialized contractor/employee rolls. They work out of the box and they are attracting some of the best computer talent all over the world. In the last six years, organized cybercrime has become serious business.

In late July, the U.S. Government Accountability Office estimated the total direct and indirect costs of all cybercrime at $137 billion. Some private estimates peg organized cybercrime for nearly 70 billion of those dollars. That’s more than the annual gross revenue of some of the Fortune 100 companies for 2006.

You can also forget the image of the miscreant in a parent’s basement. These are groups of criminals, not script kiddies.

According to Dan Larkin, a unit chief in the FBI’s Cyber Initiative and Resources Fusion Unit (think cybercrime), "From our perspective, today it is an organized criminal threat, not what we traditionally called organized crime but very parallel. Like organized crime, they have specialized talents such as the safecracker or the lookout or the wheelman or the money launderer or recruiters for mules to move merchandize.

"In the same way, they have people with particular strengths, such as writing the malware or creating the botnets. You have others good at creating the social engineering Web sites that look like your bank, or an intriguing Web site that gets you to click on a link, or click on an Internet picture from some current event. Once the customers are compromised, the financial data is harvested. Then there is the need to turn the information into money or plastic or merchandize, [and] you need to launder the money or move the merchandize to a place where it can be converted to cash.

"As you go through how it happens and how it’s done, you have a number of individuals and groups involved that represents the actual threat."

According to Larkin, the greatest concerns involve groups operating in Eastern Europe, Russia, and parts of Asia, along with operations in a few other countries. However, a good portion of the bodies reside in the United States, where threats are aimed at consumers who require much less effort to compromise than head-on assaults at corporations.

Enterprises are Victims Too

Michael Montecillo, security and risk management analyst at Enterprise Management Associates, has worked with incident response teams. He agrees that the bad guys are primarily targeting the end user. He notes the increase in sophisticated techniques such as spear phishing, where the criminals customize the compromising message with personalized information such as the person’s name or work affiliation.

Montecillo finds the recruitment of computer talent in foreign countries "somewhat sad" because these programmers could earn more money being legitimate IT security professionals than working for criminals.

As Larkin points out, "It’s an ironic world-is-flat [idea] that the bad guys are outsourcing just like companies. They can go online and find the services and assemble a criminal effort with minimal effort on their part and at a low cost."

Montecillo notes one result of many end-user computer compromises is the increasing use of the assembled botnets that goes beyond launching spam. He sees signs of increased potential of the botnets to blackmail companies or to launch DDOS attacks at competitors. Last week, reports of the Storm botnet affecting over 1.2 million systems (and possibly into the millions) should give any IT person pause.

Even though the criminal effort targets consumers, industry and institutions still pay. According to Larkin, "Even if your brand isn’t damaged by being used in a phishing scheme, your employees’ and customers’ account information can be exposed. And the bad guys are more interested in walking in the front door of your business or bank with the keys to the vault and walking right out with the cash or merchandize."

Some reports state that banks are losing a million dollars per month to phishing. Most mules hit ATMs and convert gift cards to money. Brick-and-mortar and Internet merchants alike can get tagged—even if they have good security measures in place and are reluctant to ship merchandize overseas. Mules/launderers in the U.S. are recruited to buy from stores or accept the packages containing stolen ID credit-card or debit-card account numbers, and then bundle and reship them overseas where the merchandize is converted. High-value items such as clothes and electronics are favored choices.

The FBI hopes to succeed by going after each layer in the chain. Overseas enforcement requires a combination of joint law enforcement, political cooperation, and sometimes massaging local egos. Meanwhile, the best defense for consumers is to become more savvy.

For companies, Montecillo offered these three tips:

  1. Use a strategic approach to mitigate the risk to users and infrastructure based on the changing threat environment.
  2. Have a holistic model. Don’t focus on just some aspects such as network or desktop security.
  3. Educate your users

Larkin suggests breaking the mold when defining threats, both with your comfort zone and in working horizontally and vertically with other industries and institutions. He encourages collective (as in multi-agency, multi-company) response options.

We know the crooks are out there, that they are nimble, and that they are after the money. They are organized. Our IT security programs need to be better organized than they are.