Crimeware
by Markus Jakobsson
Security

Better law enforcement -- always good for us?

2 comments | 37I like it!
Tags: crimeware, data mining, law enforcement, monetization, security, trends
More »
Recent Posts
July 22, 2008, 09:47 AM — 

If law enforcement improves, we will all be safer. Right? Well actually, maybe not.

Online fraud is rampant, and the trends are sinister. However, law enforcement, in collaboration with affected service providers, is making substantial progress in going after criminals. The good guys are now routinely capturing drop boxes (the machines used by phishers to collect stolen user credentials), and are often able to trace attacks back to the likely offenders. Newspapers occasionally run stories about busted crime rings. Crimeware writers spend time in jail. Hopefully, increasing risk of being caught will deter many would-be criminals. But to some extent, it is also changing the nature of the crimes.

If you were in the business of online fraud, what would be your reaction to improved law enforcement efforts? Maybe you would avoid phishing, and instead focus on click-fraud? (That would make sense, since phishing is a criminal act, but click-fraud -- depending on how it is committed -- may simply be a breach of the terms of service.) Or maybe you would be willing to commit crimes, but only if you were almost certain that you could not be traced.

Consider a criminal who wants to attack an organization, let's call it ABC. We assume that ABC is a publicly traded company. The criminal starts by collecting data about the organization, such as its org chart. That is not so difficult -- for example, try googling 'at ABC site:linkedin.com' (substituting your favorite organization for ABC) and see if anything shows up. Then, the criminal purchases put options in ABC. That's a financial instrument whose value increases when ABC's stock goes down. Then, the criminal unleashes an attack against ABC. Maybe he emails selected employees, spoofing the emails to make them appear to be sent by close colleagues (remember, we assume he knows the org chart). In the emails, the criminal suggests that the recipient reviews some attached powerpoint slides or a word document, where these are infected with crimeware. The attachment does not even have to be of the type that it is claimed, but could simply be an executable. He hopes that the emails get delivered and that somebody falls for the trick. A successfully installed piece of crimeware gets starts digging for confidential information. Maybe some customer records. The crimeware leaks the records onto the web (but does not send it to the criminal in particular). Public outrage ensues, ABC apologizes publicly, their stock drops. The criminal exercises his options and cashes in -- but so does everybody else who happened to have put options, so how can you tell who is the criminal, if any one of them?

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Comments
2 comments Add a comment

Its a good time to consider

Its a good time to consider previous suggestions on proper email credentials. In other words per this example company ABC would be very smart to create company user credentials for each person. Emails tag this personal credential when mailing internally to each other. If someone is spoofing their "Send From" credentials if the
users cred-key or symbol not accompanying the email. the recipient should know its not legit. Treat the mail as hoax and send off copy to corporate security to investigate. Next step if proven to be found- Persecution
to the spoofer in form of a fine should be granted. Along with 4 persons within this individuals closest members.
Parents family brother sister and closest friend. "You recieved this as a reminder your friend is not an honest
person" As an example. Let the world know these criminals are not inocent as they may claim. Cybercrimes are still a crime. Don't do the crime if you don't wish to the time. Simple. Remember guns don't kill - its the one squeezing the trigger whom kills.
by Anonymous (not verified) on 7/29/08 at 12:09 pm | reply

Clever attack. One thing we

Clever attack. One thing we can do is to develop techniques that can secure sensitive data on personal computers or mobile devices used by employees. But I must admit this can only address part of the problem.
by Liu Yang (not verified) on 7/30/08 at 9:18 am | reply
View all comments »
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
view all newsletters »
Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace