2007: A year of cybercrime

December 16, 2007

"Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don't think we are really winning this war."
-Mikko Hypponen, director of antivirus research for F-Secure1

There seems to be ample evidence showing an evolution from hacking and virus writing for fun to creating malicious code for profit over the past years. Security experts are increasingly pointing to the existence of an underground cyber economy as proof of this, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors. The development of illegal malware has become almost as sophisticated as the traditional software-development and sales channel. Additionally, David Marcus, security research manager at McAfee Avert Labs, says that it's relatively straightforward for criminals to buy not only the modules to build malware, but also the support services that go with it.1

According to Trend Micro, in the 2007 underground economy, everything can now be outsourced. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts.1

Joe Telafici, director of operations at McAfee's Avert Labs, says that one indication of the scope of this economy was the recent case of a hacker who wrote a packer (software used to bypass antivirus protection) and who "threw in the towel recently as it wasn't profitable enough". There was simply too much competition from other malware writers, so they opened the source code and walked away.1

As the malicious-software economy grows in sophistication and size, so do the losses sustained by legitimate businesses. According to the 2007 Computer Security Institute computer crime and security survey, almost one-fifth of those respondents who suffered one or more kinds of security incidents said they had suffered a targeted attack aimed exclusively at their organization, or organizations within a small subset. Khalid Kark, a principal security analyst at Forrester, said targeted attacks against companies and institutions are becoming more common.1

Mark Gaffan, who works in RSA's Identity and Access Assurance group, said traditional phishing attacks became less useful in 2007 - though no less common. Instead, the really malicious attacks are not lures to fake sites that try to steal your bank-account login and password, but sites that redirect you to log in at your real bank but piggyback in with you and make transactions while you are logged in.2

"You wonder why anyone still bothers burgling houses when this is so much easier"
-Raimund Genes, CTO of anti-malware for Trend Micro1

2007 witnessed a dramatic increase on the volume of malware. The number of new pieces of malicious software tripled in the first half of the year versus the previous six months, according to computer-security company Symantec. And the number of phishing Web sites spotted in the first three months of 2007 by security-software maker McAfee skyrocketed 784 percent compared with the year before. These attacks cost real people real money - individual Americans lost at least $200 million last year to online fraud - and that's just the people who took the time to report their misfortune to the FBI's Internet Crime Complaint Center.3

In an April research paper called "The Ghost In The Browser," a Google security team led by Niels Provos described a search through billions of Web pages looking for malicious sites. Using a process Provos calls "conservative," the team identified more than 450,000 Web pages that included malicious code, and 700,000 that "seemed" dangerous. Google says the numbers are now much larger.3

"The volume in absolute numbers is going through the roof... We've simply stopped counting."
-Mark Harris, global director for SophosLabs3

A quick look at the latest IT security headlines in the past few days tell a similar story:

Spam now accounts for 90 to 95 percent of all e-mail sent this year, up from an estimated 5 percent of all messages back in 2001.4 Some vendors even estimate the volume of Spam to be as high as 98 percent of all e-mail.5

Prevx, an Internet security company reports that one in every five PC is infected with rootkits.6

Some people are even starting to suggest that we have reached a "tipping point" and it's now time to begin blocking off Russian and Chinese network space in order to keep the cyber criminals at bay.7

"People talk about a 'Digital Pearl Harbor,' but that's already happened"
-Rick Wesson, chief executive of Support Intelligence3

F-Secure's Hypponen blames a lack of international co-operation and political and social problems for the current situation. "In many cases these are people with skills but without opportunities,"said Hypponen. "We have to make it more attractive to be in the white economy than in the black - when that happens we will turn a corner." explains McAfee's Telafici.1

1. "Cracking open the cybercrime economy", ZDNet, December 14, 2007

2. "Report: Cybercrime Stormed the Net in 2007", Wired, December 7, 2007

3. "Cybercrime: How online crooks put us all at risk", The Seattle Times, December 3, 2007

4. "E-mail Spam Climbs to 95% of Messages", New York Post, December 13, 2007

5. "UK e-mail traffic is 98% spam", Computer Weekly, December 4, 2007

6. "One in Five PCs Infected With Rootkits", PC World, December 13, 2007

7. "It's Time To Block Russia And China", SecurityProNews, December 14, 2007