There is no storefront or corporate headquarters for Cybercrime Inc., but savvy salesmen in a murky, borderless economy are moving merchandise by shilling credit card numbers. “Sell fresh CC,” promised one salesman who offered teaser credit card numbers for samples in New Jersey and Canada. “Visa, MasterCard, Amex. Good Prices. Many countries!”
Electronic crime is maturing, according to security experts, and with its evolution, clever criminals are adopting conventional approaches that reflect cold business sense — from supermarket-style pricing to outsourcing to specialists acting as portfolio managers, coders, launchers, miners, washers and minders of infected “zombie” computers.
In the United States alone, victims of reported Internet fraud lost $239 million in 2007, with average losses running about $2,530 per complaint recorded by a special Web-based hot line operated by the FBI and the National White Collar Crime Centre, a non-profit corporation focusing on electronic crime.
Phony frauds
The most common frauds were fake e-mail messages and phony Web pages and the crimes were organised from the United States, England, Nigeria, Canada, Romania and Italy, according to an FBI report issued last week.
Yet despite the increasing sophistication and elusiveness of e-criminals, judges remain reluctant to order much jail time for computer crime, according to some national law enforcement officials and such major companies as Microsoft.
A case in point is Owen Thor Walker, a self-taught computer wizard from New Zealand who, at 18 years old, pleaded guilty last week to criminal charges arising from his development of a vast international network of individual computers that he had hijacked and infected with hidden software or “malware” and remotely controlled.
Walker’s sentencing is scheduled for late May, but the judge on the case indicated that he would consider community detention and work release or some home detention for punishment of the teenager, who suffers from Asperger Syndrome, a form of autism. “Most of the time it’s very difficult for a judge to understand what’s going on and what the risks are,” said Eric Loermans, chief inspector of a Dutch high-tech crime unit, noting though that private companies that are not satisfied can also take civil action against offenders.
Loermans was part of the Council of Europe’s cybercrime forum in Strasbourg last week to develop guidelines for closer international cooperation between law enforcement and Internet service providers. Many came from countries where the police are regrouping: like India, where officers in New Delhi are being sent for cybercrime training in e-mail tracking and digital fraud; or the Netherlands, where the government is spending $22 million, over the next four years fighting against cybercrime.
‘Fast-flux’ trap
The aim is to keep up with an age-old game of cat-and-mouse that is accelerating, with newly emerging tools like the “fast flux” that allows cybercriminals to hide the national location of spamming and phishing Web sites, which surface for minutes on a bot computer in one country before moving within minutes to another infected bot in another country. The advantage of fast flux, according to experts, is that attackers can register a child-pornography site or a fake bank that is not tied to a single domain that can be tracked and shut down. The flux techniques were used in phishing frauds this year that targeted bank customers in England where criminals created fake bank sites mimicking Barclays and Halifax banks, requesting personal information.
David Roberts, chief executive of the Corporate IT Forum, which represents 150 companies in Britain, said his group was pressing for a single confidential channel where corporate security chiefs could report cybercrimes. Roberts said that major companies rarely reported crimes because they wanted to protect their own reputation. And he said they might deal with it discreetly, perhaps by simply paying nuisance attackers to go away.
The fast-flux technique, Roberts said, was a further illustration of how online crime has evolved. “They are professional, large, well organised and they are best called companies.”
Microsoft, which has its own teams of private investigators to combat cyber threats to the company, is now taking a more “holistic” approach to confront electronic fraud throug conferences and training programs. “It’s just not sufficient to bring cases to police,” said Jean-Christophe Le Toquin, an Internet Safety Director for Microsoft. “It’s not sufficient to have conferences on cybercrime. What you have to do is both of these things and then offer training to judges on cybercrime so that the parliament, the police, the judges are all trained at the same time.”
Microsoft is also turning its lawyers toward another flaw in e-commerce called typosquatting by challenging individuals for trademark infringement who register domain names with misspelled versions of the Microsoft name to make money from unsuspecting computer users through pay-per-click advertisements.
International Herald Tribune
