Difference between revisions of "Evolution of Cybercrime and current situation"

Revision as of 06:50, 4 December 2005

The Roots of Cybercrime

Cybercrime has been an artifact of computer systems for a number of decades. It’s safe to say that soon after the first computer networks were built, criminals were looking for ways to exploit them for illegal purposes. As soon as it was widely recognized that computers store and process valuable information, criminals saw an opportunity. However, the phenomenon of cybercrime did not truly come into being until the advent of the computer network. Information moving from across physical distances was much easier to intercept than that on a standalone system. Moreover, attaching a system to a network provided would-be criminals an access point into other vulnerable systems attached to the same network. But even in the early days of networked computing, cybercrime was rare. The relative rarity of computers, combined with the highly specialized knowledge needed to use them prevented widespread abuse. The cybercrime problem emerged and grew as computing became easier and less expensive. Cybercrime evolved from hacking of another system, the public switched telephone network. These phone “phreakers” developed methods of breaking into phone systems to make long-distance calls for free. In the 1970's, the first affordable personal computers became available on the market, and it was shortly thereafter that the first bulletin board service, or BBS, was established. Early hackers and phreakers seized on the BBS idea as a way to communicate with one another and share their tricks and techniques. Still, even as the Internet grew, getting online was far from easy. Designers of operating systems at the time had no idea how important the Internet would be. They didn’t design software with built-in functionality to connect to an Internet service providers. ISPs were few and far between, and very pricey. For a user to connect to the Internet, they would have to obtain, install and configure a number of settings that could be tricky for the casual user. Online services such as CompuServe, AOL, and Prodigy helped to solve this problem. They provided their subscribers with software that would enable them to connect to their service with relative ease. Price was still an issue, though, but in the early 1990’s, costs for the user dropped to around $3 an hour, and eventually, to less than $20 a month for unlimited usage, allowing not only the Internet to grow exponetially, but also for criminals to learn how to effectively exploit the system.

Computers are now ubiquitous and many tasks performed in the daily lives of users depends on computers and computer networks. The Internet has become a mission-critical infrastructure for governments, companies, and financial institutions. Computers and networks are used for controlling and managing manufacturing processes, water supplies, the electric power grid, air traffic control systems, and stock market systems, to mention a few. A benefit of online services that attracts criminals is the anonymity they offer, making it easier for criminals to change identities and cover their tracks. The rapid growth of the Internet in the mid 1990’s gave rise to cybercrime as we know it today.

Evolution of Motivation

Ten years ago, hackers were dabbling on other systems to only see how they were configured and operated. Most of the time they did not cause any damage. Unfortunately, the circumstances have changed and become incredibly malicious. Instead of being driven by curiosity, hackers today are driven mostly by financial motives. The value of Internet activities and the wealth stored on computers is the source of the attraction. While e-commerce represents only a fraction of total commerce, it reached almost $70 billion in the U.S. at the end of 2004, an increase of 24 percent over 2003. A third of the U.S. workforce is online, roughly 50 million people, an important consideration since more than half of e-commerce transactions are made from work. Sixty million residents of North America, almost half of the Internet user population in Canada and the U.S., have online bank accounts. The combination of banking and commerce draws criminals more than anything else.

Categories of CyberCrime

Cybercrime has manifested itself in many different forms over the years. The following points are illustrative of some of the techniques that have been employed.

1) Spam - Although for much of history spam was not technically a crime, the 2003 CAN-SPAM Act changed legal definitions on what is acceptable. Spam now represents more than 50 percent of all email transmitted over the Internet. It's costs, which Internet service providers (ISPs) pass on to their customers, are enormous. With spam’s ubiquity comes a whole culture and industry devoted to fighting it. Large groups of people, such as the Spamhaus Project, spend enormous effort to identify the sources of spam so as to block their activity. New technologies have been created to flag its sources, like blacklists, and spam identification through Bayesian filters, distributed checksum databases, and other advanced heuristics. Increasingly on the defensive, spammers are fighting back by becoming more sophisticated, generating unique messages, and using subverted computers to send messages.

2) Extortion & Reputational Damage — In the Internet variant of a blackmail, criminal gangs will threaten companies with disruption of their networks, through denial of service attacks, or the theft of valuable information, unless they pay ransom into offshore bank accounts. Defacement of a company’s Web site, can cause not just embarrassment but loss of sales. In other cases, spite or a desire to inflict harm means that the attack will be executed without warning.

3) Fraud & Phishing — The anonymity and opportunities for misrepresentation found on the Internet make fraud easy. Consumer Sentinel, a complaint database developed and maintained by the US Federal Trade Commission (www.consumer.gov/sentinel/), has recorded more than 390,000 Internet-related fraud complaints regarding transactions involving over US$540 million losses in 2004 alone. Fraud schemes are usually peddled by individuals who spam potential victims, such as the Nigerian, or 419, scam. But as the number of fraud cases has increased, so has the public’s awareness of them; fraudsters are increasingly forced to resort to more intricate schemes. New practices like “phishing” are gaining popularity with fraudsters. Using this scheme, criminals create email messages with return addresses, links, and branding that seem to come from trusted, well-known organizations with the hope to convince victims to disclose sensitive information. This practice originates in attempts to fool America Online users into parting with their screen names and passwords in the mid-1990s. The goal these days is to extract information from a victim that crackers can use for financial gain. A commonly targeted item are victims credit card information. Criminals also want access to Internet payment systems such as e-Bullion, egold, or PayPal; online transaction services such as Authorize. Net, iBill, and Verotel; and Internet accessible banks which includes almost all major banks today.

4)Service Disruption — A cybercriminal can use an Internet attack to disrupt a key service. Denial of service attacks are one method, worms and viruses containing malicious code are another. A major auto manufacturer was one of many companies that had to shutdown its e-mail network for a few days because of the Love Lettervirus. Some viruses will wipe clean computer memories, erasing payroll records or invoices.

5)Information Theft — The most damaging category of Internet crime, information theft can take several forms. Cybercriminals can extract personal identification information or credit information from a company’s database and affect thousands of consumers. Cybercriminals can also extract a company’s own financial information.Finally, cybercriminals can steal valuable intellectual property (designs,blueprints, and marketing plans) from a company. While the reportedcost of information theft is declining, it remains one of the greatest Internet risks a company can face.

6)Money Laundering — The growth of global financial services makes it easy to conduct banking operations across borders over the Internet. The Financial Action Task Force, a group of national law enforcement agencies, notes that “Within the retail banking sector, services such as telephone and Internet banking allow customers to execute transactions on a non face-to-face basis from any location with telephone or internet access.” While use of the Internet provides law enforcement agencies a greater ability to trace transactions through electronic records, the volume of transactions, the anonymity, and the lack of consistent record-keeping make itattractive to criminals and terrorists.

7)Child Pornography - Internet has become an important tool for child sex offenders in order to facilitate the making, collection, trading and distribution of abusive images engaging children. It constitutes a vehicle to simplify the contact between child pornographers mutually, on the one hand, and with their victims, on the other hand. Consequently, the Internet linked with other technological advances has an enormous impact on both the volume and the nature of child pornography.

Cybercrime Tools

1)Bots—A bot (short for robot) is a computer on which a worm or virus has installed programs that run automatically and allow cybercriminals access and control. Cybercriminals use viruses or bots to search for vulnerable computers where they can load their own programs or storedata. A bot network is a collection of these infected machines, often compromised weeks or months earlier by attackers using worms or viruses to plant backdoor components that can be centrally controlled and used to launch simultaneous attacks. Spammers, hackers, and other cybercriminals are acquiring or renting bot networks, making it harder for authorities to track down the real culprits.

2)Keylogging—A program that covertly recovers the keys typed by a computer user and either stores the data for later access or secretly sends the information to the author. The advantage of a keylogger program is that the cybercriminal does not need to trick a computer user into supplying sensitive information.

3)Bundling—Covertly attaching a virus or spyware to a benign or legitimate download, such as a screensaver, a game, freeware, or an image. When the computer user downloads and installs the legitimate file, they are unwittingly also giving permission to install the criminal program.

4)Denial of Service—An attack specifically designed to prevent the normal functioning of a computer network or system and to prevent access by authorized users. A distributed denial of service attack uses thousands of computers captured by a worm or trojan to launch tens of thousands of e-mail messages at the target in a very short time. Attackers can cause denial of service attacks by destroying or modifying data or by using zombie computers to bombard the system with e-mails until its servers are overloaded and other users can no longer gain access.

5)Packet Sniffer—Software program that monitors network traffic. Attackers use packet sniffers to capture and analyze data transmitted via a network. Specialized sniffers capture passwords as they cross a network.

6)Rootkit—A set of tools used by an intruder after hacking a computer. The tools allow the cybercriminal to maintain access, prevent detection, build in hidden backdoors, and collect information from both the compromised computer and from other computers systems on the network. Rootkits are available for most major operating systems.

7)Spyware—Software that gathers information without the users’ knowledge. Spyware is typically bundled covertly with another program. The user does not know that installing one also installs the other. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather and relay information one-mail addresses, passwords, and credit card numbers.

8)Scripts—Short programs or lists of commands, usually available as shareware from hacker sites, that can be copied, remotely inserted into a computer, and used to attack and disrupt computer operations.

9)Social Engineering—Social engineering is not limited to cybercrime,but it is an important element for cyber fraud. Social engineering tricks or deceives the recipient into taking an action or revealing information. The reasons given seem legitimate but the intent is criminal. Phishing is an obvious example—a certain percentage of users will respond unthinkingly to a request that appears to be from a legitimate institution.

10)Malicious Code – Worms and Trojans

Trojan is a malicious program unwittingly downloaded and installed by computer users. Some trojans pretend to be a benign application. Many hide in a computer’s memory as a file with a nondescriptname. Trojans contain commands that a computer automatically executes without the user’s knowledge. Sometimes it can act as a zombie and send spam or participate in a distributed denial of service attack, or it can be a keylogger or other monitoring program that collects data and sends it covertly to the attacker. Many trojans now also attempt to disable anti-virus programs.

Worms are wholly contained viruses that travel through networks, automatically duplicate themselves and mail themselves to other computers whose addresses are in the host computer. They propagate by sending copies of themselves to other computers through e-mail or Internet Relay Chat (IRC).

In the past, we’ve seen spammers occasionally use worms and trojans to hijack a victim’s Web browsers. They replace the victims’ home and search pages with links to Web spam, as well as drop links to the spam in the victims’ bookmarks and on their desktops. To make money, they infect computers with malicious code that generates fraudulent ad views (by repeatedly visiting Web pages with specific ads for which the criminals are paid for driving users to view the ads). Criminals have also used dialers, programs designed to use victims’ computer modems to dial national or international “premium services” phone numbers, generating unwanted charges.

One trick in the spammer’s arsenal is to use worms and trojans to create spam relays. Backdoor.Hogle’s creator designed it specifically for this purpose. After infecting a system, it checks to see whether the host’s IP address is listed in the blacklists that spamcop.net and abuse.net maintain; if it’s listed, the program terminates. Several other worms are suspected vehicles for installing proxies that spammers can use (for example, the currentcrop of MyDoom worms).

Reverse HTTP proxies Spam sometimes points the recipient back to a Web site. Antispam crusaders attempt to track down these Web sites, contact the responsible ISPs, and have them shut down. This denies the spammer satisfaction even if a user is fooled into visiting a site. A backdoor found in the wild, Backdoor. Migmaf, had a clever way to get around this counterattack. It acted as a reverse HTTP proxy (see www. lurhq.com/migmaf.html), infecting thousands of computers. The spammer sent out spam with links to hosts such as linkxxxsites.com, and then used the domain’s DNS servers to point the hostname to an infected machine’s IP address. The machine would then proxy the HTTP request to the real Web server and send results back to the client, thus hiding the true Web server’s IP address from the client. The spammer changed the IP address that the hostname pointed to every 10 minutes, so to shut down the Web site, antispam activists would have had to determine the IP addresses of thousands of infected machines and disable, disconnect, or disinfect them—a difficult job indeed. Backdoor.Migmaf also acted as a SOCKS proxy server, which permitted the spammer to send out anonymous spam. Infected machines participated in a PayPal phishing scam by acting as a proxy for the scam’s Web site (www.securityfocus.com/archive/1/328772). Evidence suggests that spammers similarly used an earlier worm, W32.HLLW.Fizzer, to point to their spam Web sites.

12)Virus—A program or piece of code that spreads from computer to computer without the users’ consent. They usually cause an unexpected and negative event when run by a computer. Viruses contaminate legitimate computer programs and are often introduced through e-mail attachments, often with clever titles to attract the curious reader.

13)Zombie—A computer running programs that give control to someone other than the user. Zombies automatically execute commands from someone other than the user, without the user’s knowledge. Zombies are created by placing executable code on a user’s machine (often through use of a trojan); a cybercriminal can gain control of the computer and have it automatically (and usuallycovertly) execute a command to initiate a denial of service attack, send spam, or perform other activities.

14)Internet message boards – Internet message boards dedicated to stocks are fertile ground for impersonators. A habit of many posters to these boards is to cut-and-paste press releases and news stories from other electronic sources into their posts to alert other posters and visitors to that information. Frequently, posters will paste in a hyperlink to direct a reader to a source directly, as Hoke did in the PairGain hoax. (http://www.sec.gov/litigation/litreleases/lr16266.htm) In addition to the rising threat, as nation level attacks become more plausible, the vulnerabilities have also increased.

Evolution & Profile of the attacker

There is a growing convergence of technically savvy computer crackers with financially motivated criminals. Historically, most computer crime on the Internet has not been financially motivated: it was the result of either curious or malicious technical attackers, called crackers. This changed as the Internet became more commercialized and more of the public has gone online. Financially motivated actors —spammers and fraudsters, soon joined crackers to exploit this new potential goldmine. Criminals have fully adopted the techniques of crackers and malicious code authors. These are financially motivated people, and we must assume that they will pursue their goals considerably more aggressively than an average cracker. They have the monetary means to buy the required expertise to develop very sophisticated tools to accomplish their goals of spamming and scamming the public.

The perpetrators of these attacks vary considerably. At the low end are script kiddies, who are usually unsophisticated users that download malicious software from hacker web sites and follow the posted instructions to execute an attack on some target. These attacks are often only annoyance attacks, but they can be more severe. At the next level are hackers who are trying to prove to their peers or to the world that they can compromise a specific system, such as a government web site. Next are insiders, who are legitimate users of a system that either access information that they should not have access to or damage the system or data because they are disgruntled. Insiders are often less knowledgeable then hackers, but they are often more dangerous because they have legal access to resources that the hackers need to access illegally. Next are organizational level attacks. In this case, the organization’s resources are used to get information illegally or to cause damage or deny access to other organizations to further the attacking organization’s gain. These can be legitimate organizations, such as two companies bidding on the same contract where one wants to know the other’s bid in order to make a better offer. They could also be criminal organizations that are committing fraud or some other illegal activity. At the highest level is the nation state that is trying to spy on or cause damage to another state. This level used to be called “national lab” attackers, because the attackers have a substantial amount of resources at their disposal, comparable to those that are available to researchers at a national lab, such as Los Alamos Laboratory or Lawrence Livermore Laboratory. After the September 11, 2001 terrorist attacks on the World Trade Center, the idea of nation state level cyber attacks being carried out by terrorists became a big concern.

Malware and Threat Evolution

Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent. While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords. Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces. On the whole, there is very little danger that classic file viruses will cause any major epidemics. The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovescan, Sobig, Blaster, Slammer and Sober all not only caused global epidemics, but also profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers. In 2003, we witnessed the emergence of an attack type that combines exploitation of server and workstation vulnerabilities with the characteristics of virus and Trojan horses. By using more efficient attack vectors and, therefore, minimizing the human effort required to deliver attacks and use the compromised systems, the risks related to newly discovered vulnerabilities moved up in the risk measurement scale.

Optimizing costs, achieving greater efficiency, and applying the minimum necessary effort to accomplish your goal are not foreign concepts to most aspects of our lives in today’s world. Therefore, it is not difficult to identify the same approach in the vulnerability exploitation techniques and attack trends. We can easily explain the appearance of many and more efficient worms as a result of attackers’ attempts to maximize their bang for the “bug”: Compromise a very large number of systems with minimal effort. The steadily increasing amount of cross-site scripting and SQL injection vulnerabilities discovered and disclosed during 2003 point to another path of less resistance into vulnerable networks. These vulnerabilities have rather simple ways of exploitation, yet they provide casual attackers with a high yield: Direct access to internal networks, compromise of database servers and their content, and indirect ways of attacking unsuspecting users of third-party systems. More-sophisticated, harder-to spot, and, allegedly, harder-to exploit vulnerabilities could become suitable attack vectors if exploitation of such bugs yields promising benefits. You can find an example of such a rewarding outcome for an attacker dedicating time and effort to exploit a “hard to get” vulnerability, a bug for which writing exploitation code requires a considerable amount of technical skill and time in the November 2003 report of the compromise of a popular Linux distribution’s systems (www.debian.org/security/2003/dsa-403). The less-effort principle might also apply to attack vectors and vulnerability exploitation and to the use of compromised systems after successful attacks. The level of sophistication in worms seen in 2003 and the installation of backdoors and tools with elaborate communication protocols and auto update capabilities indicate that attackers are also trying to optimize the management of large amounts of newly acquired assets.

Because there were no new critical vulnerabilities in Windows, and this meant that virus writers had to find other popular methods of data transmission to distribute their creations. classic email worms are on the decline, with network and instant messaging worms exploiting relatively lax security to take their place in early 2005. IM worms were at the peak of their development in spring and summer 2005, and showed the highest growth rate among all classes of network worms. In the first six months of this year, an average of 28 new IM worms were detected every month. It should be stressed here that when P2P worms were at the peak of their evolution in 2003, approximately 10 new variants were detected every week.

However, suddenly the situation changed. The flood of IM worms suddenly dried up: AOL and MSN, both of which have proprietary IM clients, were the main targets for such worms. Both companies took measures to protect their users: firstly, by blocking the transmission of files with names and extensions which were known to be used by IM worms. In spite of the fact that IM worms rarely use file transmission as a propagation method, the move did have a noticeable effect. The next step was to block the worms' main method of propagation: hyperlinks leading to files containing the body of the worm.

These actions closed the majority of security loopholes being exploited by virus writers. And most importantly, they closed the loopholes which IM worms based on source code circulating in the computer underground used. Most of the code used in IM worms is of fairly low quality. The majority of these worms are created by script kiddies who have no significant programming skills. When the off the shelf code was no longer effective, these self styled virus writers were unable to create new propagation methods on their own, and this led to a sharp drop in the number of new worms.

However, phishing attacks are now moving to the fore; the convergence of adware and malicious code, the increase in botnets, and malicious programs for mobile devices seem to indicate that this year may simply be the calm before the storm. Improved antivirus technologies, and increased user awareness of security issues are clearly forcing virus writers and hackers to use new approaches to access users' information and systems. Attack vectors are changing. Malicious users are starting to use viruses which propagate by exploiting vulnerabilities within web applications, particularly Internet Explorer, rather than network and email worms. One consequence of this is an increase in the number of compromised sites. Exploits for IE are placed on compromised sites, which means that users who visit these sites will have Trojans downloaded to their machines. Such attacks tend to become more prevalent at times when there are no critical vulnerabilities in Windows. To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware. We have absolutely no doubt that the near future will show a change of approach from malicious users. They will move away from searching for vulnerabilities in traditional operating systems - Windows/*nix and associated applications - towards networking equipment, firewalls, and antivirus solutions.

Handhelds- PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. The first Trojan for Palm OS appeared in September 2000. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly. Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear. And finally, the increasing interest in on-line games, with the potential profits to be made in this area, make it more than likely that malicious code designed to steal such information will continue to evolve rapidly. The first Trojan for gaming consoles had also been discovered. Sony PlayStationPortable was the first victim - the Trojan targeting this device deleted system files causing the console to cease functioning correctly. This behaviour is very similar to Trojans for mobile phones. A few days later, a Trojan targeting Nintendo DS was detected. It may be that these new Trojans for gaming consoles signal the start of a new interest among virus writers.

Evolution of Exploit Frameworks

Computer attackers, both the evil ones and pro-penetration testers, increasingly rely on powerful exploitation frameworks to launch their attacks. Free tools like Metasploit and commercial tools like CORE IMPACT and Immunity CANVAS have revolutionized the attackers' methodology. In the old days, upon finding a vulnerability, the attacker either had to create custom exploit code from scratch or scour the Internet to find such code to exploit the hole. Today, instead of scraping together a bunch of individual exploits, these integrated exploit frameworks include around one hundred or more exploits to compromise target systems. One of the nicest properties of the exploit tools from an attacker's perspective is the separation of the exploit from the payload. An exploit is the software that takes advantage of a flaw, letting the attacker load and execute machine language instructions [that is, a program] of the attacker's choosing. The code triggered by the exploit is known as the payload. Old-fashioned attacks tightly bundled exploits and payloads together. You might have a buffer-overflow attack against a vulnerable FTP service, which would give the attacker command-shell access. Another attack might exploit a database buffer overflow with the purpose of adding a user for the attacker to the local administrators group. But, with this tight integration, the attackers were stuck with the given payload attached to the given exploit for the given vulnerability. Taking the payload from one attack and embedding it with another exploit required some serious machine-language fine tuning, and was often impossibly difficult. To remedy this situation, today's exploit frameworks include an arsenal of different exploits and an arsenal of different payloads, each offering a different effect the attacker wants to have on the victim. So today, the attacker can use a tool like Metasploit to choose an exploit [such as a buffer overflow in lsass.exe, originally used by the Sasser worm last year]. Then, the attacker can choose from more than a dozen different payloads. Metasploit packages the payload with the exploit, and then launches it at the target. The real effect of these frameworks in separating the exploits and the payloads is now reverberating through our industry. Developers who create fresh exploits for new flaws don't have to reinvent the payload wheel every time. Thus, they can focus their time on perfecting their exploits and producing them much more quickly. What's more, those developers who don't focus on exploits can now zoom in on the production of really high-quality, massively functional payloads.

Defence Evolution

Our computer security has been only reactive for most part. That is, system administrators and security professionals are usually reacting to the latest attack. After they fix the vulnerability that allowed the attack, the attackers look for new vulnerabilities to exploit for new attacks. Trends in worm and virus delivery mechanisms and infection speed have also changed. Not long ago, a virus warning and the patch to vaccinate computers against it would appear days before the virus began spreading. Today, too often the first sign of a virus is that a part of the network goes down. Flash worms such as SQL Slammer have paved the way for future worms to carry payloads that directly target their victims and wreak havoc on government, business, and societal structures. Existing technologies such as firewalls, intrusion detection systems, intrusion protection systems, virtual private networks (VPNs), and virus scanners provide integrated security solutions. Not surprisingly, security has become a massive industry, and it is now a focal point for virtually every organization. Proactively eliminating just the known threats places an impractical burden on existing server and network infrastructures. Eliminating unknown threats or day zero attacks—which, as the name implies, reveal themselves only when they first occur—requires new real-time solutions that can identify unique attacks without overburdening the network with security and management overhead. To address both the threats facing networks today and future scalability demands, we need new security methodologies, deployment strategies, systems, and architectures. The imagination of social engineers knows no bounds. Social engineers are highly aware of Internet users' psychology and well able to exploit current anxieties. In connection with this it should be stressed that the attempts of some companies to create a browser which is capable of determining the veracity of any site visited, or a browser which protects information stored on the potential victim machine are unlikely to be 100% successful, as they will be unable to solve the problem entirely and will always be one step behind virus writers and cyber scammers.

Cyber Victims

The early attacks were mass attacks which affected the whole internet community and several business. Toolkits written to allow cybercriminals with little or no technical knowledge to perform denial of service attacks and create their own viruses and Trojan horses. Between 1996 and 2000, high-profile web sites such as eBay, the U.S. Department of Commerce, UNICEF, the New York Times and Microsoft all fell victim to hackers or defacers. The Melissa virus caused company email servers to shut down. A fraudulent web page that was designed to appear to be a Bloomberg financial news story resulted in the shares of a small tech company increasing 31 percent in response to the false “news.” As we entered the 2000s, a huge, distributed DoS attack shut down major Web sites suchas Yahoo! and Amazon. Apache, RSA Security, and Western Union were hacked, the Code Redworm attacked thousands of web servers, and the Sircam virus hit e-mail accounts all over the world. As of today, spam accounts for forty percent of all email sent, a staggering 12.4 billion messages a day, worldwide. Malicious users are now changing their focus from conducting mass attacks to targeting specific business structures, and these attacks are tailored to each individual case. Identify thefts and Credit card Fraud are prevalent attacks affecting the public directly. Social engineering remains a threat, and that the methods used are continuing to evolve. The biggest mass mailings were comparable in size to the activity shown in December and January of 2004/5, when cyber scammers exploited the tsunami in South East Asia. Cybercriminal target people who are new to the internet and people who are naturally naïve. With huge numbers of people connecting to the Internet for the first time every year, cybercriminals always have a fresh crop of Net newbies on which to prey. Elderly people, youngster and kids are also among the top targets. Children are, of course, the targets of some of the Internet’s worst of the worst: pedophiles.

Current Situation

The Computer Security Institute(CSI) announced the results of its 10th annual Computer Crime and Security Survey. Highlights of the 2005 survey include the following:

• The total dollar amount of financial losses resulting from security breaches is decreasing, with an average loss of $204,000 per respondent, down 61 percent from last year’s average loss of $526,000.

• Virus attacks continue as the source of the greatest financial losses, accounting for 32 percent of the overall reported losses.

• Unauthorized access showed a dramatic increase and replaced denial of service as the second most significant contributor to computer crime losses, accounting for 24 percent of overall reported losses and showing a significant increase in average dollar loss.

• Theft of proprietary information also showed a significant increase in average loss per respondent, more than double that of last year.

• The percentage of organizations reporting computer intrusions to law enforcement has continued its multiyear decline. Respondents cited the concern over negative publicity as the key reason for not reporting intrusions to law enforcement.

References:

http://www.securitypark.co.uk/article.asp?articleid=24493&CategoryID=33

http://www.acsu.buffalo.edu/~djfrey/ICO631/631final_individual.pdf

http://www.mcafee.com/us/local_content/misc/mcafee_na_virtual_criminology_report.pdf

http://www.viruslist.com/en/trends

http://www.thedisease.net/arcana/law/cybercrime.pdf