Rugged, flawed, morally complex: Sabu was a hacker from central casting. But when it comes to the enterprise of cybercrime, the lone-wolf prodigy is the exception, not the rule. For most cybercriminals, this is business. “You can’t underestimate the fact that it’s becoming a highly specialized industry,” says Rafal Rohozinski, CEO of SecDev Group, an Ottawa-based security firm. Increasingly, he says, work is divided along a vertical chain. “It’s unlikely that you’re going to have people who own the whole value chain. Rather it’s a specialized, segmented business that comes together.”
There’s an ever-expanding list of ways to make cybercrime pay, but some are more common than others. Credit card numbers acquired by hook or crook can be charged. Botnets can be used to commandeer thousands of computers to defraud advertising networks by fraudulently clicking on online ads, each click worth a fraction of a cent. The threat of denial-of-service attacks can be used to extort sums from companies or utilities that can’t afford to be knocked offline.
Some specializations have a national flavour. The Philippines has a reputation for enlisting workers to break CAPTCHAS—the distorted text that verifies whether a user is human. Russia specializes in transforming digital wealth into physical assets. (Items bought with stolen credit card numbers need to be sent somewhere, after all.)
Demographics play a part as well. Cybercrime correlates with high education and high unemployment. In some countries, it’s a way of getting rich. In West Africa, money-transfer scams are a way out of poverty.
And while hacktivists can act like the weather, striking without warning as the eddies and currents of millions of connected users coalesce to form new social movements, cybercriminals tend to follow the path of least resistance to the greatest reward. This gives them at least a degree of predictability. “Okay, so I can open all the water valves in Trenton by remote IP,” says Rohozinski. “What’s the particular gain that a cybercriminal’s going to get from this?”
I is for Impersonation Pretending to be someone you’re not is a cybercrime fundamental. The essence of “phishing” is fooling users into giving up information, as with spam e-mail purporting to be from a bank that needs your password to “protect your account.”
But when trying to crack a high-value target, attackers will take the extra step of impersonating a target’s friends and co-workers—a tactic called “spear-phishing.” It could go like this: An attacker uses malware to gain access to corporate e-mail, allowing the attacker to read correspondence and send e-mails in their victim’s name. No need to play the CEO; impersonating a grunt in the IT department, who e-mails around saying he “needs your passwords” to perform maintenance, can garner all the access the attacker wants.
J is for John Sawers Sir John Sawers might reasonably have been irked at his wife for posting vacation photos of him in a Speedo on Facebook, or because she posted their home address and their children’s locations on her public profile. Still, all of this might have been passable, but for the fact that Sawers had just been appointed the head of MI6—Britain’s spy agency. A moral emerged in the public lambasting that followed: All the technology in the world will not prevent a human intelligence failure. Education for employees—and their families—is key.
K is for Koobface The Facebook virus, which showed that social media is addictive for criminals, too. Koobface infected a computer, then sent a lurid message to its owners’ Facebook friends, tricking them into downloading an infected phony software update. When documented in 2010, the network was found to have generated more than $2 million by commanding infected computers to send clicks to various affiliate programs.
Facebook eventually took the dramatic step of publicly naming the Russian crew behind the now-defunct scheme. But there will be others. Twitter battles a spam problem every day, and, in March, word circulated about the latest threat: Pinterest scammers.
L is for Loss In 2011, 22% of Canadian businesses surveyed by Telus and the Rotman School of Management reported that laptops or mobile devices had gone missing—the second-most common security breach, after infection by viruses. There’s a silver lining: Technologies that “remotely wipe” or disable misplaced devices are proliferating. Their makers might find a client in NASA, which last year reported the theft of a laptop—one that contained unencrypted command-and-control codes for the International Space Station.