Evolution of Cybercrime and current situation
Contents
The Roots of Cybercrime
Cybercrime has been an artifact of computer systems for a number of decades. However, the phenomenon of cybercrime did not truly come into being until the advent of the computer network. Information moving from across physical distances was much easier to intercept than that on a standalone system. Moreover, attaching a system to a network provided would-be criminals an access point into other vulnerable systems attached to the same network. But even in the early days of networked computing, cybercrime was rare. The relative rarity of computers, combined with the highly specialized knowledge needed to use them prevented widespread abuse. The cybercrime problem emerged and grew as computing became easier and less expensive.
Cybercrime evolved from hacking of another system, the public switched telephone network. These phone “phreakers” developed methods of breaking into phone systems to make long-distance calls for free. Perhaps, the most famous of these phreakers was John Draper (aka "Cap'n Crunch"), who discovered that toy whistles given away with Cap'n Crunch cereals generate a 2600-hertz sound, which can be used to access AT&T's long-distance switching system. Draper proceeded onto build a "blue box" which, when used together with the whistle, allowed phreakers to make free calls. Shortly after, wire fraud in the United States escalates. Draper was arrested on toll fraud charges in 1972 and sentenced to five years' probation.
In the 1970's, the first affordable personal computers became available on the market, and it was shortly thereafter that the first bulletin board service, or BBS, was established. Early hackers and phreakers seized on the BBS idea as a way to communicate with one another and share their tricks and techniques. Still, even as the Internet grew, getting online was far from easy. Designers of operating systems at the time had no idea how important the Internet would be. They didn’t design software with built-in functionality to connect to an Internet service providers. ISPs were few and far between, and very pricey. For a user to connect to the Internet, they would have to obtain, install and configure a number of settings that could be tricky for the casual user. Online services such as CompuServe, AOL, and Prodigy helped to solve this problem. They provided their subscribers with software that would enable them to connect to their service with relative ease. In 1986, alarmed by the larger numbers of computer break-ins, the US government passes the Computer Fraud and Abuse Act. This made it a crime to illegally break into computer networks. The law did not apply to juveniles. Robert Morris becomes the first person to be convicted under the new Computer Fraud and Abuse Act of 1986. Morris was punished for his Internet worm, which crashed 6,000 Net-linked government and university computers. He was sentenced to three years’ probation and was fined $10,000.
Price was still an issue, though, but in the early 1990’s, costs for the user dropped to around $3 an hour, and eventually, to less than $20 a month for unlimited usage, allowing not only the Internet to grow exponentially, but also for criminals to learn how to effectively exploit the system. Computers are now ubiquitous and many tasks performed in the daily lives of users depend on computers and computer networks. The Internet has become a mission-critical infrastructure for governments, companies, and financial institutions. Computers and networks are used for controlling and managing manufacturing processes, water supplies, the electric power grid, air traffic control systems, and stock market systems, to mention a few. A benefit of online services that attracts criminals is the anonymity they offer, making it easier for criminals to change identities and cover their tracks. The rapid growth of the Internet in the mid 1990’s gave rise to cybercrime as we know it today.
Evolution of Motivation
Ten years ago, hackers were dabbling on other systems to only see how they were configured and operated. Most of the time they did not cause any damage. Unfortunately, the circumstances have changed and become incredibly malicious. Instead of being driven by curiosity, hackers today are driven mostly by financial motives. The value of Internet activities and the wealth stored on computers is the source of the attraction. While e-commerce represents only a fraction of total commerce, it reached almost $70 billion in the U.S. at the end of 2004, an increase of 24 percent over 2003 . A third of the U.S. workforce is online, roughly 50 million people, an important consideration since more than half of e-commerce transactions are made from work. Sixty million residents of North America, almost half of the Internet user population in Canada and the U.S., have online bank accounts. The combination of banking and commerce draws criminals more than anything else.
Categories of CyberCrime
Cybercrime has manifested itself in many different forms over the years. The following points are illustrative of some of the different categories that criminals have entered.
1) Spam - Although for much of history, spam was not technically a crime, the 2003 CAN-SPAM Act changed legal definitions on what is acceptable. Spam now represents more than 50 percent of all email transmitted over the Internet. It’s costs, which Internet service providers (ISPs) pass on to their customers, are enormous. With spam’s ubiquity comes a whole culture and industry devoted to fighting it. Large groups of people, such as the Spamhaus Project, spend enormous effort to identify the sources of spam so as to block their activity. New technologies have been created to flag its sources, like blacklists, and spam identification through Bayesian filters, distributed checksum databases, and other advanced heuristics. Increasingly on the defensive, spammers are fighting back by becoming more sophisticated, generating unique messages, and using subverted computers to send messages.
2) Extortion & Reputational Damage - In the Internet variant of a blackmail, criminal gangs will threaten companies with disruption of their networks, through denial of service attacks, or the theft of valuable information, unless they pay ransom into offshore bank accounts. Defacement of a company’s website can cause not just embarrassment but loss of sales. In other cases, spite or a desire to inflict harm means that the attack will be executed without warning.
3) Fraud & Phishing - The anonymity and opportunities for misrepresentation found on the Internet make fraud easy. Consumer Sentinel, a complaint database developed and maintained by the US Federal Trade Commission , has recorded more than 390,000 Internet-related fraud complaints regarding transactions involving over US$540 million losses in 2004 alone. Fraud schemes are usually peddled by individuals who spam potential victims, such as the Nigerian, or 419, scam. But as the number of fraud cases has increased, so has the public’s awareness of them; fraudsters are increasingly forced to resort to more intricate schemes. New practices like “phishing” are gaining popularity with fraudsters. Using this scheme, criminals create email messages with return addresses, links, and branding that seem to come from trusted, well-known organizations with the hope to convince victims to disclose sensitive information. This practice originates in attempts to fool America Online users into parting with their screen names and passwords in the mid-1990s. The goal these days is to extract information from a victim that crackers can use for financial gain. A commonly targeted item is victim’s credit card information. Criminals also want access to Internet payment systems such as e-Bullion, egold, or PayPal; online transaction services such as Authorize.Net, iBill, and Verotel; and Internet accessible banks which includes almost all major banks today.
4) Service Disruption - A cybercriminal can use an Internet attack to disrupt a key service. Denial of service attacks are one method, worms and viruses containing malicious code are another. A major auto manufacturer was one of many companies that had to shutdown its e-mail network for a few days because of the Love Letter virus.
5) Information Theft - The most damaging category of Internet crime, information theft can take several forms. Cybercriminals can extract personal identification information or credit information from a company’s database and affect thousands of consumers. Cybercriminals can also extract a company’s own financial information. Finally, cybercriminals can steal valuable intellectual property from a company. While the reported cost of information theft is declining, it remains one of the greatest Internet risks a company can face.
6) Money Laundering - The growth of global financial services makes it easy to conduct banking operations across borders over the Internet. The Financial Action Task Force, a group of national law enforcement agencies, notes that “within the retail banking sector, services such as telephone and Internet banking allow customers to execute transactions on a non face-to-face basis from any location with telephone or internet access.” While use of the Internet provides law enforcement agencies a greater ability to trace transactions through electronic records, the volume of transactions, the anonymity, and the lack of consistent record-keeping make it attractive to criminals and terrorists.
7) Child Pornography - Internet has become an important tool for sex offenders in order to facilitate the creation, collection, trading and distribution of abusive images engaging children. It constitutes a vehicle to simplify the contact between child pornographers mutually, on the one hand, and with their victims, on the other hand. Consequently, the Internet linked with other technological advances has an enormous impact on both the volume and the nature of child pornography.
Cybercrime Tools
Cybercriminals have developed a wide array of potential tools that have had varying degrees of success over the years. The following are a short list of some of these techniques.
1) Bots — A bot (short for robot) is a computer on which a worm or virus has installed programs that run automatically and allow cybercriminals access and control. Cybercriminals use viruses or other bots to search for vulnerable computers where they can load their own programs or store data. A botnet is a collection of these infected machines that can be centrally controlled and used to launch simultaneous attacks. Spammers, hackers, and other cybercriminals are acquiring or renting botnets, making it harder for authorities to track down the real culprits.
2) Keylogging — Keyloggers are programs that covertly recover the keys typed by a computer user and either stores the data for later access or secretly sends the information to the author. The advantage of a keylogger program is that the cybercriminal does not need to trick a user into supplying sensitive information.
3) Bundling — Covertly attaching a virus or spyware to a benign or legitimate download, such as a screensaver or a game. When the computer user downloads and installs the legitimate file, they are unwittingly also giving permission to install the criminal program.
4) Denial of Service — An attack specifically designed to prevent the normal functioning of a computer network or system and to prevent access by authorized users. A distributed denial of service attack uses thousands of computers captured by a worm or trojan to send a landslide of data in a very short time. Attackers can cause denial of service attacks by destroying or modifying data or by using zombie computers to bombard the system with data until its servers are overloaded and cannot serve normal requests.
5) Packet Sniffers — Software programs that monitors network traffic. Attackers use packet sniffers to capture and analyze data transmitted via a network. Specialized sniffers capture passwords as they cross a network.
6) Rootkit — A set of tools used by an intruder after hacking a computer. The tools allow the cybercriminal to maintain access, prevent detection, build in hidden backdoors, and collect information from both the compromised computer.
7) Spyware — Software that gathers information without the users’ knowledge. Spyware is typically bundled covertly with another program. The user does not know that installing one also installs the other. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else.
8) Social Engineering — Social engineering is not limited to cybercrime, but it is an important element for cyberfraud. Social engineering tricks deceives the recipient into taking an action or revealing information. The reasons given seem legitimate but the intent is criminal. Phishing is an obvious example, a certain percentage of users will respond unthinkingly to a request that appears to be from a legitimate institution.
9) Worms and Trojans — A trojan is a malicious program unwittingly downloaded and installed by computer users. Some trojans pretend to be a benign application. Many hide in a computer’s memory as a file with a nondescript name. Trojans contain commands that a computer automatically executes without the user’s knowledge. Sometimes it can act as a zombie and send spam or participate in a distributed denial of service attack. It may be a keylogger or other monitoring program that collects data and sends it covertly to the attacker. Worms are wholly contained viruses that travel through networks, automatically duplicate themselves and send themselves to other computers whose addresses are in the host computer. In the past, cybercriminals occasionally use worms and trojans to hijack a victim’s Web browsers. They replace the victims’ home and search pages with links to Web spam, as well as drop links to the spam in the victims’ bookmarks and on their desktops. To make money, they infect computers with malicious code that generates fraudulent ad views.
10) Virus—A program or piece of code that spreads from computer to computer without the users’ consent. They usually cause an unexpected and negative event when run by a computer. Viruses contaminate legitimate computer programs and are often introduced through e-mail attachments, often with clever titles to attract the curious reader.
11) Internet message boards – Internet message boards dedicated to stocks are fertile ground for impersonators. A habit of many posters to these boards is to cut-and-paste press releases and news stories from other electronic sources into their posts to alert other posters and visitors to that information. Frequently, posters will paste in a hyperlink to direct a reader to a source directly, as Hoke did in the PairGain hoax . In addition to the rising threat, as national level attacks become more plausible, the vulnerabilities have also increased.
Evolution & Profile of the attacker
There is a growing convergence of technically savvy computer crackers with financially motivated criminals. Historically, most computer crime on the Internet has not been financially motivated: it was the result of either curious or malicious technical attackers, called crackers. This changed as the Internet became more commercialized. Financially motivated actors, spammers and fraudsters, soon joined crackers to exploit this new potential goldmine. Criminals have fully adopted the techniques of crackers and malicious code authors. These are financially motivated people, who pursue their goals considerably more aggressively than an average cracker. They have the monetary means to buy the required expertise to develop very sophisticated tools to accomplish their goals of spamming and scamming the public.
The perpetrators of these attacks vary considerably. At the low end are script kiddies, who are usually unsophisticated users that download malicious software from hacker web sites and follow the posted instructions to execute an attack on some target. These attacks are often only annoyance attacks, but they can be more severe. At the next level are hackers who are trying to prove to their peers or to the world that they can compromise a specific system, such as a government web site. Next are insiders, who are legitimate users of a system that either access information that they should not have access to or damage the system or data because they are disgruntled. Insiders are often less knowledgeable then hackers, but they are often more dangerous because they have legal access to resources that the hackers need to access illegally.
Avichal I think the danger is because insiders are already inside the defense perimeter meant to stop malicous attackers. Maybe you wanted to use the word legitimate, i.e. insiders have legitimate access to resources, whereas hackers have to breach the defenses to gain access to them.
Next are organizational level attacks. In this case, the organization’s resources are used to get information illegally or to cause damage or deny access to other organizations to further the attacking organization’s gain. These can be legitimate organizations, such as two companies bidding on the same contract where one wants to know the other’s bid in order to make a better offer. They could also be criminal organizations that are committing fraud or some other illegal activity. At the highest level is the nation state that is trying to spy on or cause damage to another state. This level used to be called “national lab” attackers, because the attackers have a substantial amount of resources at their disposal, comparable to those that are available to researchers at a national lab, such as Los Alamos Laboratory or Lawrence Livermore Laboratory. After the September 11, 2001 terrorist attacks on the World Trade Center, the idea of nation state level cyber attacks being carried out by terrorists became a big concern.
Malware and Threat Evolution
Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. In1981 the first virus in the wild came into being even before the experimental work that defines viruses of today. Founded on the Apple II operating system, it was spread on Apple II floppy disks containing the operating system. While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.
Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces. On the whole, there is very little danger that classic file viruses will cause any major epidemics.
The trends in epidemiology that are observed today have their primary roots in the second half of 2003. Internet worms Lovescan, Sobig, Blaster, Slammer and Sober all not only caused global epidemics, but also profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers. In 2003, we witnessed the emergence of an attack type that combines exploitation of server and workstation vulnerabilities with the characteristics of virus and Trojan horses. By using more efficient attack vectors and, therefore, minimizing the human effort required to deliver attacks and use the compromised systems, the risks related to newly discovered vulnerabilities moved up in the risk measurement scale.
Optimizing costs, achieving greater efficiency, and applying the minimum necessary effort to accomplish goal are central concepts to modern day life. Therefore, it is not difficult to identify the same approach in the vulnerability exploitation techniques and attack trends. The appearance of many efficient worms as a result of attackers’ attempts to maximize their bang for the “bug” are examples. They compromise a very large number of systems with minimal effort. The steadily increasing amount of cross-site scripting and SQL injection vulnerabilities discovered and disclosed during 2003 point to another path of less resistance into vulnerable networks. These vulnerabilities have rather simple ways of exploitation and they provide casual attackers with a high yield, direct access to internal networks, compromise of database servers and their content, and indirect ways of attacking unsuspecting users of third-party systems. The level of sophistication in worms seen in 2003 and the installation of backdoors and tools with elaborate communication protocols and auto update capabilities indicate that attackers are trying to optimize the management of large amounts of newly acquired assets.
Classic email worms are on the decline, with network and instant messaging worms exploiting relatively lax security to take their place in early 2005. IM worms were at the peak of their development in spring and summer 2005, and showed the highest growth rate among all classes of network worms. In the first six months of this year, an average of 28 new IM worms were detected every month . It should be stressed here that when P2P worms were at the peak of their evolution in 2003, approximately 10 new variants were detected every week.
However, the situation changed afterwards and the flood of IM worms suddenly dried up. AOL and MSN, both of which have proprietary IM clients, were the main targets for such worms. Both companies took measures to protect their users. Firstly, by blocking the transmission of files with names and extensions which were known to be used by IM worms. In spite of the fact that IM worms rarely use file transmission as a propagation method, the move did have a noticeable effect. The next step was to block the worms' main method of propagation, hyperlinks leading to files containing the body of the worm.
These actions closed the majority of security loopholes being exploited by virus writers. And most importantly, they closed the loopholes which IM worms based on source code circulating in the computer underground used. Most of the code used in IM worms is of fairly low quality. The majority of these worms are created by script kiddies who have no significant programming skills. When the off the shelf code was no longer effective, these self styled virus writers were unable to create new propagation methods on their own, and this led to a sharp drop in the number of new worms.
Avichal Intersting, how did they actually do this? They could not have simply disallowed users from sending any URLs in an IM message. Just curious.
Improved antivirus technologies, and increased user awareness of security issues are clearly forcing virus writers and hackers to use new approaches to access users' information and systems, mostly in the form of phishing attacks. Malicious users are starting to use viruses which propagate by exploiting vulnerabilities within web applications, particularly Internet Explorer, rather than network and email worms. One consequence of this is an increase in the number of compromised sites. Exploits for IE are placed on compromised sites, which means that users who visit these sites will have trojan programs downloaded to their machines.
To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.
Handheld devices, such as PDAs and cell phones are almost household appliances for many people. Virus writers have been quick to take advantage of their growing popularity. The first trojan for Palm OS appeared in September 2000. And finally, the increasing interest in on-line games, with the potential profits to be made in this area, make it more than likely that malicious code designed to steal such information will continue to evolve rapidly. The first Trojan for gaming consoles had also been discovered. Sony PlayStationPortable was the first victim - the Trojan targeting this device deleted system files causing the console to cease functioning correctly. This behaviour is very similar to Trojans for mobile phones. It may be that these new Trojans for gaming consoles signal the start of a new interest among virus writers.
Evolution of Exploit Frameworks
Cybercriminals increasingly rely on powerful exploitation frameworks to launch their attacks. Free tools like Metasploit and commercial tools like CORE IMPACT and Immunity CANVAS have revolutionized the attackers' methodology. Previously, upon finding a vulnerability, the attacker either had to create custom exploit code from scratch or scour the Internet to find such code to exploit the hole. Today, instead of scraping together a bunch of individual exploits, these integrated exploit frameworks include around one hundred or more exploits to compromise target systems.
One property of the exploit tools is the separation of the exploit from the payload. An exploit is the software that takes advantage of a flaw, letting the attacker load and execute a program of the attacker's choosing. The code triggered by the exploit is known as the payload. Old-fashioned attacks tightly bundled exploits and payloads together. An attack might exploit a database buffer overflow with the purpose of adding a user for the attacker to the local administrators group. But, with this tight integration, the attackers were stuck with the given payload attached to the given exploit for the given vulnerability. Taking the payload from one attack and embedding it with another exploit required some serious machine-language fine tuning, and was often impossibly difficult. To remedy the situation, today's exploit frameworks include an arsenal of different exploits and an arsenal of different payloads, each offering a different effect the attacker wants to have on the victim. So today, the attacker can use a tool like Metasploit to choose an exploit, such as a buffer overflow in lsass.exe, originally used by the Sasser worm last year. Then, the attacker can choose from more than a dozen different payloads. Metasploit packages the payload with the exploit, and then launches it at the target.
The real effect of these frameworks in separating the exploits and the payloads is now reverberating through the industry. Developers who create fresh exploits for new flaws don't have to reinvent the payload wheel every time. Thus, they can focus their time on perfecting their exploits and producing them much more quickly. Morever, those developers who don't focus on exploits can now zoom in on the production of high-quality payloads.
Defence Evolution
Avichal Hmm..this is little bit unexpected. I have detailed my views on the Talk page of this article.
Computer security has been reactive for most part. That is, system administrators and security professionals are usually reacting to the latest attack. After they fix the vulnerability that allowed the attack, the attackers look for new vulnerabilities to exploit for new attacks. Trends in worm and virus delivery mechanisms and infection speed have also changed. Not long ago, a virus warning and the patch to vaccinate computers against it would appear days before the virus began spreading. Today, too often the first sign of a virus is that a part of the network goes down. Flash worms such as SQL Slammer have paved the way for future worms to carry payloads that directly target their victims and wreak havoc on government, business, and societal structures. Existing technologies such as firewalls, intrusion detection systems, intrusion protection systems, virtual private networks (VPNs), and virus scanners provide integrated security solutions. Not surprisingly, security has become a massive industry, and it is now a focal point for virtually every organization. Proactively eliminating just the known threats places an impractical burden on existing server and network infrastructures. Eliminating unknown threats or zero day attacks, which as the name implies reveal themselves only when they first occur, requires real-time solutions that can identify unique attacks without overburdening the network with security and management overhead.
The imagination of social engineers knows no bounds. Social engineers are highly aware of Internet user psychology and are well able to exploit current anxieties. In connection with this it should be stressed that the attempts of some companies to create a browser which is capable of determining the veracity of any site visited, or a browser which protects information stored on the potential victim machine is very hard to be one hundred percent successful.
Cyber Victims
Early exploits were mass attacks which affected the whole Internet community. Between 1996 and 2000, high-profile web sites such as eBay, the U.S. Department of Commerce, UNICEF, the New York Times and Microsoft all fell victim to hackers or defacers. The Melissa virus caused company email servers to shut down. A fraudulent web page that was designed to appear to be a Bloomberg financial news story resulted in the shares of a small tech company increasing 31 percent in response to the "news.” As the new millenium began, a huge, distributed DoS attack shut down major Web sites such as Yahoo! and Amazon. Apache, RSA Security, and Western Union were hacked. The Code Red worm attacked thousands of web servers, and the Sircam virus hit e-mail accounts all over the world. As of today, spam accounts for fifty percent of all email sent, a staggering 12.4 billion messages a day, worldwide.
Malicious users are now changing their focus from conducting mass attacks to targeting specific business structures, and these attacks are tailored to each individual case. Identity thefts and credit card fraud are prevalent attacks affecting the public directly. Social engineering remains a threat, and the methods used are continuing to evolve. The biggest mass mailings were comparable in size to the activity shown in December of 2004 through and January, when cyber scammers exploited the tsunami in South East Asia.
Cybercriminals target gullible people who are new to the Internet. With huge numbers of people connecting to the Internet for the first time every year, cybercriminals always have a fresh crop of Net newbies on which to prey. Elderly people, youngster and kids are also among the top targets.
Current Situation
The Computer Security Institute (CSI) announced the results of its 10th annual Computer Crime and Security Survey . The survey showed that virus attacks continue as the source of the greatest financial losses, accounting for 32 percent of the overall reported losses. Theft of proprietary information also showed a significant increase in average loss per respondent, more than double that of last year. Also unauthorized access showed a dramatic increase and replaced denial of service as the second most significant contributor to computer crime losses, accounting for 24 percent of overall reported losses and showing a significant increase in average dollar loss. On a better note the total dollar amount of financial losses resulting from security breaches is decreasing, with an average loss of $204,000 per respondent, down 61 percent from last year’s average loss of $526,000. However the percentage of organizations reporting computer intrusions to law enforcement has continued its multiyear decline. Respondents cited the concern over negative publicity as the key reason for not reporting intrusions to law enforcement.
Avichal Would it be relevant to include the statistic in the article sent by Geoff Cybercrime profits exceed drug trade
