Web of Crime: Enter the Professionals
Online pranksters give way to organized gangs determined to mine your technology for illegal profit.Erik Larkin, Special to PC World
Artwork by Diego Aguirre
You can't do serious business today without a Web site. And most company owners know that their sites have to be protected from teenage vandals and small-time hackers.
But Internet crime has grown up. Today, if your business comes under attack or your computer gets infected with a virus or worm, the culprit is far more likely to be someone who expects to make money from the assault.
Figures measuring the impact of malware-based crimes are hard to come by because most information in this area is anecdotal. However, a 2004 PriceWaterhouseCoopers survey of more than 1000 businesses in the UK found that, on average, companies spent more than $17,000 on their worst security incidents that year. For large companies, the amount was closer to $210,000, the study found, with most of the cost arising from the disruption to their ability to do business. In addition, people who track and/or fight these types of crime say that many companies affected by such attacks do not report the crimes. Instead, they either take care of the problem themselves or go to private security companies for assistance.
"The life that we had with the so-called pranksters instead of the pros is likely to end," says Shane Coursen, senior virus researcher at Kaspersky Lab, maker of security software. "If you exist as a business on the Internet, you should be greatly concerned."
The global viruses and worm attacks we've seen thus far--Bagle, MyDoom, and Sasser--are just the beginning of a trend, Coursen says. For instance, this month's Windows Plug and Play attacks saw different worms duking it out for control over infected PCs. These days, Coursen adds, three out of every four pieces of malicious code or malware that come into Kaspersky Lab are "obviously meant to make money."
Your business may be vulnerable to this new breed of criminals--Web thugs who have money, not mayhem, in mind. As the mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century, your business may suffer. For example, according to the 2005 E-Crime Watch survey of security and law enforcement executives, survey respondants estimated an average loss of $506,670 per organization due to malware and other types of e-crime. The survey was conducted by CSO Magazine (a sister publication to PC World) in association with the U.S. Secret Service and Carnegie Mellon University's Computer Emergency Response Team (CERT).
It's gotten so bad that CERT last year stopped publishing the number of computer crime incidents, saying: "Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."
Henchmen, Extortion, and Protection Money
Sometimes the bad guys are corporate competitors who hire Web gangs to take your site down and ruin your business, leaving the arena to them. Others take the Tony Soprano route, sending extortion notes that may demand $100,000 or more to call off a threatened attack. Some even use the time-honored protection money gambit, promising to shield you against attacks--by themselves or other wise guys--as long as you pay up regularly.
Michael Reich knows all about this. He handles IT for Expert Satellite, a midsize firm in Worcester, Massachusetts, that installs digital satellite entertainment systems. Reich has more than 20 years of IT experience and, until recently, was confident that his company's network was well protected against "hackers and thieves and other teenage mischief."
He wasn't thinking big enough.
In February of 2004, Reich got an early-morning emergency call from Expert Satellite. Nobody could connect to the company's Web servers--a serious problem for a firm that does 70 percent of its business online. The source of the trouble wasn't a failed server or a downed router. Expert Satellite was under attack.
For five days, meaningless data from thousands of places around the Internet bombarded the company's two Web servers. Expert Satellite's Web site was effectively knocked out in a method called a distributed denial of service attack (DDoS).
"From the outset, we were overwhelmed," Reich says. Any countermeasure he and his team tried might gain them an hour's respite, but then the attack would return in full (or redoubled) force. "We found they could ratchet up the volume seemingly at will," he said.
At one point, Reich's servers became so physically hot from trying to process the flood of data that he had to shut them down to prevent permanent hardware damage. "It was a major hit to our company," he says.
Expert Satellite finally fended off the onslaught by moving its servers to a hosting company, Rackspace Managed Hosting, whose network is set up to protect clients against DDoS attacks.
The motive for the attack doesn't appear to have been simple vandalism. In August 2004, a federal grand jury in Los Angeles indicted Saad "Jay" Echouafni, 37, the chief executive officer of Orbit Communication in Sudbury, Massachusetts--a competitor of Expert Satellite. The indictment alleges that Echouafni and a business partner hired a clutch of computer hackers to launch the DDoS attacks against Expert Satellite and other companies.
The FBI's online wanted poster for Saad "Jay" Echouafni.
In the online wanted poster for Echouafni, who has since fled the country, the FBI calls this case "the first successful investigation of a large-scale distributed denial of service attack used for a commercial purpose in the United States."
But it won't be the last. Other companies' Web sites continue to be hit by DDoS and other attacks in ways that show how much the Internet has come to resemble the analog world.
"Criminal activities on the Internet are increasing," says James Lewis, a senior fellow and director of the Technology and Public Policy program at the Center for Strategic and International Studies in Washington, D.C. "It's easy work, and there's plenty of good stuff to steal."
In its July 2005 North American Study into Organized Crime and the Internet, the antivirus firm McAfee said that it now sees 2000 potentially malicious threats each month, up from 300 per month two years ago. The study, which Lewis authored, went on to say, "Criminals now use the Internet for extortion, fraud, money laundering, and theft." A PDF of the study is available here.
It's All About the Money
Set in motion by Internet thugs who try to extort money from hapless companies, DDoS attacks may be the most intense and dramatic example of money-motivated Internet attacks. But a wide range of other dirty online deeds have the same goal.
Tech-savvy sneaks use spyware to steal company secrets. Scammers hijack PCs across the globe and use them to launch e-mail-based identity theft schemes. One novel extortion attempt even used malware to encrypt a company's own files. The bad guys then demanded a $200 ransom from the business in return for a decryption key. Luckily this plot was foiled, but security experts warn that the technique could be revamped and may reappear.
All of these attacks are linked by the profit motive and by their use of malware, formerly the province of cybervandals and attention-hungry hackers. These days, viruses, spyware, and other malicious code can be integral parts of a sophisticated scheme to pull in illegal cash.
"All you are seeing is the illegal behavior that is present in the real world...being ported to the electronic world," says Robert M. Morgester, a deputy attorney general in the California Department of Justice's special crimes unit, which prosecutes Internet crime.
The use of malware to make money has intensified in the past 18 months; and as criminals organize and improve their skills at digitally leaching money, the cost to legitimate business is skyrocketing. For instance, a study by information systems research company Computer Economics puts the worldwide financial impact of major virus attacks at almost $18 billion in 2004, up from $13 billion in 2003. Not all of those attacks were designed to make money, however.
Stan Quintana, vice president of managed security services at AT&T, works to protect business clients against DDoS attacks like the one that hit Expert Satellite. AT&T began offering dedicated DDoS protection to business clients about a year ago. In his experience, he says, the cybercriminals responsible for 80 percent of the attacks are trying to extort money.
"We were getting a lot of panic attacks from our customers saying they were under attack and they were being held for ransom and could we help them," Quintana says. Prolexic, a company founded in 2003 that protects businesses against DDoS attacks, repels at least one major version every week, according to chief technical officer Barrett Lyon. Of those, slightly less than half involve one business attacking a competitor, as happened to Expert Satellite, he says. Most of the rest are extortion attempts, where a criminal may threaten a DDoS attack unless a company pays protection money (as much as $250,000). Very few attacks occur without financial motivation, Lyon says.
Night of the Techno-Zombies
Zombies do a lot of the heavy lifting in this dark business. No, not the walking dead--"zombies" are malware-infected computers that an online puppet master controls. Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet" attempt to carry out the high-tech money grab.
Botnets are popular because of their increasing sophistication and multiple uses. These versatile zombie armies can pull in cash for their controllers in a variety of ways. Sending spam--still a big money-maker--is one common use. Zombie networks can also steal personal information for purposes of identity theft.
When botnets are used to launch a DDoS attack, the ringleader instructs each zombie computer to send a flood of data to a particular Web site. By itself, the data from a single PC can't hurt a site. But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and cut off from the Internet.
Experts at Kaspersky Lab and elsewhere now believe that the infamous, sophisticated malware duo of the Bagle worm and the MyDoom worm, which afflicted systems around the globe starting in early 2004 were specifically meant to recruit computers for botnets. Together, Bagle and MyDoom cost businesses around the world almost $7 billion in lost productivity and revenue, labor costs, and other expenses last year, according to the Computer Economics study. And while similar measurements for the impact of the Sasser worm weren't available, it affected hundreds of thousands of PCs. Nearly 1.5 million users downloaded a Microsoft fix for the worm in the first two days it was offered.
MyDoom had a rather unsophisticated means of controlling host machines. Once it insinuated itself into an unprotected PC, anyone who knew a not-so-secret five-digit code could commandeer the computer for any desired purpose, according to Kaspersky Lab and other experts. As a result, MyDoom-compromised computers were very popular with online criminals for a while. The Bagle worm, by contrast, used a more sophisticated means of control to keep each machine's reins fully in the hands of its mysterious, still-uncaught author.
Nevertheless, botnets aren't the only means at the disposal of computer criminals to make an illegal buck.
Malware has made its way into the world of corporate espionage, too. In May, London police arrested two people suspected of writing the custom spyware used in a major business spy ring in Israel. As reported by the Israel News Service, Israeli police believe that the malware made its way to the target companies via files attached to e-mail messages or on computer discs distributed as a business proposal. Police found dozens of servers in Israel, the United States, and elsewhere containing stolen documents that the spyware sent to them, according to the report.
More to Come
Law enforcement is trying to keep up with the new trends; but in the meantime, experts say, you shouldn't look for profit-driven malware to disappear soon. CipherTrust, an e-mail security company that tracks botnets, reports that malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005. As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder--and botnets will become more powerful.
Also, the ability to shuffle funds--including ransom payments--anonymously through convoluted Internet paths using human mules (in much the same way as in the drug trade) and online payment services means that criminals can revisit old approaches. For instance, Joe Stewart, a senior threat researcher at LURHQ, a South Carolina-based Internet security company, says that the attack responsible for encrypting the Websense customer's files and holding them for ransom had originally been tried back in 1989.
But "trying to get paid anonymously in 1989 was a lot different," Stewart says. "These schemes can now be reinvented because you can get away with it."
Tomorrow: How Botnets Work
Read the complete Web of Crime series on PCWorld.com.