Better law enforcement … always good for us?

July 22, 2008 —

If law enforcement improves, we will all be safer. Right? Well actually, maybe not.

Online fraud is rampant, and the trends are sinister. However, law enforcement, in collaboration with affected service providers, is making substantial progress in going after criminals. The good guys are now routinely capturing drop boxes (the machines used by phishers to collect stolen user credentials), and are often able to trace attacks back to the likely offenders. Newspapers occasionally run stories about busted crime rings. Crimeware writers spend time in jail. Hopefully, increasing risk of being caught will deter many would-be criminals. But to some extent, it is also changing the nature of the crimes.

If you were in the business of online fraud, what would be your reaction to improved law enforcement efforts? Maybe you would avoid phishing, and instead focus on click-fraud? (That would make sense, since phishing is a criminal act, but click-fraud -- depending on how it is committed -- may simply be a breach of the terms of service.) Or maybe you would be willing to commit crimes, but only if you were almost certain that you could not be traced.

Consider a criminal who wants to attack an organization, let’s call it ABC. We assume that ABC is a publicly traded company. The criminal starts by collecting data about the organization, such as its org chart. That is not so difficult … for example, try googling “at ABC site:linkedin.com” (substituting your favorite organization for ABC) and see if anything shows up. Then, the criminal purchases put options in ABC. That’s a financial instrument whose value increases when ABC’s stock goes down. Then, the criminal unleashes an attack against ABC. Maybe he emails selected employees, spoofing the emails to make them appear to be sent by close colleagues (remember, we assume he knows the org chart). In the emails, the criminal suggests that the recipient reviews some attached powerpoint slides or a word document, where these are infected with crimeware. The attachment does not even have to be of the type that it is claimed, but could simply be an executable. He hopes that the emails get delivered and that somebody falls for the trick. A successfully installed piece of crimeware gets starts digging for confidential information. Maybe some customer records. The crimeware leaks the records onto the web (but does not send it to the criminal in particular). Public outrage ensues, ABC apologizes publicly, their stock drops. The criminal exercises his options and cashes in – but so does everybody else who happened to have put options, so how can you tell who is the criminal, if any one of them?

You can probably imagine a large number of variations on this attack. The bottom line is: vandalism may pay off, and may become part of the monetization game in crimeware, simply because it makes it harder to follow the trail of money. This changes a lot. Today, most security researchers assume a rational adversary, and design security mechanisms based on that assumption. But vandalism is not traditionally seen as rational, and is therefore often overlooked – simply because it is so much harder to deal with.

It is time for us to start thinking about what new monetization techniques criminals may use, and what possible trends in society may affect our bottom-line security -- see my recent post Free iPhones ... then what? for another example of such a connection. And it is time for us to review our existing systems to see what could cause difficulties, and fix those that do.