Network News

X My Profile
View More Activity

Report: Cybercrime is Winning the Battle Over Cyberlaw

Law enforcement agencies worldwide are losing the battle against cyber crime at a time when criminals are increasingly using the global economic downturn to make headway in recruiting more computers and computer users to further illegal online activities, a scathing new report from security vendor McAfee concludes.

McAfee's annual "Virtual Criminology Report" (PDF) notes that the number of compromised PCs used for blasting out spam and facilitating a host of online scams has quadrupled in the last quarter of 2008 alone, creating armies of spam "zombies" capable of flooding the Internet with more than 100 billion spam messages daily.

In an increasing number of cases, those missives are playing on public fears over the battered economy, pitching recipients on too-good-to-be-true job offers aimed to enlist them in cybercrime operations, McAfee said.

"Cybercriminals are cashing in on the fact that the economic downturn is causing people worldwide to increasingly turn to the Web to seek the best deals and jobs, and to manage their finances," the report charges. "They are preying on fear and uncertainty and taking advantage of the fact that consumers are often more easily duped and distracted during times of difficulties. In fact, opportunities to attack are on the rise."

At the forefront of this worsening problem are so-called "money mule" scams, in which criminals make use of third parties -- often unsuspecting consumers -- to launder stolen funds. Mule recruitment is an integral part of many cybercrime operations because money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement.

The mules, therefore, serve as a vital buffer, making it easier for criminals to hide their tracks. However, criminals tend to view money mules as expendable resources, because those unwitting accomplices usually either are confronted by authorities or lose money as a result of their participation in the scams.

In most cases, money mules are recruited via online job postings touted in spam. McAfee said that some 873 money-mule recruitment Web pages were detected in Britain alone in the first half of 2008, a 33 percent increase over the first half of 2007. That data was gathered by APACS, the United Kingdom's payment-industry trade group.

An investigation by washingtonpost.com earlier this year into a money mule network uncovered a database of thousands of U.S. citizens who had responded with interest to a single money mule scam e-mail campaign.

And there are ample signs that the criminals behind these scams are taking notice of those who would call attention to their methods. Bob Harrison, one of the individuals I interviewed in that story who spends a great deal of time tracking these scams at his Web site, had his site recently targeted by a prolonged distributed denial of service (DDoS) attack, assaults typically launched by the same hordes of hacked PCs sending spam, but instead aimed at swamping a targeted site with so much junk traffic that it can no longer accommodate legitimate visitors.

McAfee's report quotes dozens of experts all driving home some very obvious points about how we are losing the battle against cyber criminals. Still, this is some of the most strident language I've seen about the scope and causes of that battle, and so I think they bear repeating here.

From the key findings:

Cybercrime is not yet enough of a priority for governments to allow the fight against it to make real headway. Added to that, the physical threats of terrorism and economic collapse are diverting political attention elsewhere.

Cross border law enforcement remains a long-standing hurdle to fighting cybercrime. Local issues mean laws are difficult to enforce transnationally. Cybercriminals will therefore always retain an edge unless serious resources are allocated to international efforts.

Law enforcement at every level remains ad hoc and ill-equipped to cope. While there has been progress, there is still a significant lack of training and understanding in digital forensics and evidence collection as well as in the law courts. The cyber-kingpins remain at large while the minor mules are caught and brought to rights. Some governments are guilty of protecting offenders in their own country. The findings suggest there is an ever-greater need to harmonise priorities and coordinate police forces across physical boundaries.

Pamela Warren, McAfee's chief cybercrime strategist, put it succinctly. "Law enforcement really needs to step up to the plate," she said.

By Brian Krebs  |  December 9, 2008; 10:44 AM ET
Categories:  Cyber Justice , Economy Watch , Fraud , From the Bunker , Latest Warnings , U.S. Government , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Scary Twist in Malware Evil-ution
Next: Microsoft Plugs at Least 28 Security Holes

Comments

I think this article highlights one of the aftermaths of economic slowdowns which is impacting IT the most. our lives are soo much dependant on IT and its services that we are exposed to cyber attacks from everywhere, unlike old days, when we have to only worry about physical or financial security. In times of crises IT pros should be motivated to channel their capacity in community jobs rather than trying to make quick bucks out of any security gaps.

I feel that bigger threat is to the larger organizations who are heavily dependant on IT, now it is time for them to share their profit margins and establish forums based on collaboration to fight against any Cybercrime or Cyber Terrorist attacks.

Internet is not limited by boundaries of State or Country, that is the main reason law enforcement agencies are facing challenges in controlling cyber crime, it is time that we bring leaders of industry together on a common platform for a common interest.

Tarun Gupta
www.tgupta.com | email@tgupta.com

Posted by: TarunGupta | December 9, 2008 1:30 PM | Report abuse

McAfee report points out what we already know, as the only website (e-victims.org) that provides advice and support for victims of e-crime and other online incidents, that e-crime is not on the UK's government's agenda.

We have several areas of enforcement where they refuse to take a report from victims. Today, in the UK if you are a victim of credit card fraud you do not report it to the police - you report it to your credit card company. Crazy

There is no political will to act on any aspect of e-crime other than child protection - until that changes we will see the UK continue to be a safe haven for Internet criminals.

Posted by: e-victims | December 10, 2008 6:56 AM | Report abuse

The reason cybercrime is winning is because we tolerate criminals, we live in a society that holds them up as heros! Look at Wall Street, corporate board rooms, our politician's. They took the bailout money and rewarded themselves and their "shareholders" with billions of dollars and turn around and continue to bilk consumers, outsource jobs and technology. Everyone chases after money and you can just forget about "the good of the country". If we made white collar crime a capital crime and executed the perpetuators this nonsense would soon end. Instead, we see Illinois Governor Blagojevich selling Obama's Senate seat, Obama and Bush and the Clinton's and Rangel and Schumer and Dodd involved up to their eyeballs in lies and corruption and the empty headed partisan's in their camps blindly defending them. We see Bank Of America receiving a $25 billion bailout and turn around and put hundreds of people out of work in some small but *profitable* window manufacturing company and cut off those workers final pay checks, deny them back vacation pay, but turn around and award one of it's CEO's a $10 million bonus! So long as these sorts of scum are worshipped, can walk the streets free, cyber criminals are small fry.

Posted by: mibrooks27 | December 10, 2008 10:35 AM | Report abuse

Fighting Spam and cybercrime is sort of like fighting cancer or heart disease. There is no single factor that accounts for it, and a multi-faceted approach is needed to counter it. One of the facets that IMO is not being adequately exploited is the millions of people who for whatever reasons maintain PCs in such a state that they can be turned into bots.

We should recognize these computers for the public menace that they are, and take appropriate steps. If a restaurant produces food that might be unhealthy, the government shuts it down. The government forbids vehicles to travel on public roads if they emit too much pollution. You get the idea. But we do nothing about the millions of PCs that, largely through owner incompetence and/or irresponsibility, are poisoning the Internet and facilitating the theft of billions of dollars.

Suppose we pass a law that permits the government to play the same game the criminals are playing, but for the public good. I'm not suggesting anything too drastic in practical terms, although I'll admit the concept itself is quite radical.

Suppose we had publicly run servers, with appropriate oversight and control, that scoured the Internet for vulnerable PCs the way the criminals do. But when they find a vulnerable PC, instead of installing malware and stealing passwords or credit card numbers, it posts a warning message to the user that his computer is compromised, constitutes a public menace, and must be properly secured. The message can include a link to general information about the basics of computer security, which would probably resolve the great majority of vulnerabilities.

If we really want to spend resources on this approach, we can develop algorithms that attempt to identify specific vulnerabilities and give the hapless user a hint or two about what they need to do to fix their system. I personally wouldn't object to installing malware that disables the Internet connection for repeat offenders or systems that remain unfixed for a length of time; but I understand how that would be a very controversial step and would have to be thought through.

The incompetent end-user is the weak link in the chain, and they are indispensable to the criminals. The same weakness that enables the criminals to exploit them could also enable the government to stop them from providing the essential service that makes the Internet a cesspool for those of us willing to use our computers responsibly. And if this weak link is removed, the criminals have nothing left to work with, no matter how sophisticated their tools.

Posted by: mark51 | December 10, 2008 12:09 PM | Report abuse

Given our Internet dependence, it's astonishing to think that no one single actor is responsible for keeping the Internet safe. When not even the law can keep up with cybercriminals, people especially need good resources where they can wage the fight against bad actors themselves.

I've been perusing a new online community that does just that - gives computer novices a place to ask questions and get answers about cybersecurity. It's called BadwareBusters.org, from the guys at StopBadware and Consumer Reports WebWatch. I'd encourage people to give it a look.

Posted by: ekatherine | December 12, 2008 10:22 AM | Report abuse

Cisco issued our 2008 Annual Security Report...See our blog post on this that states, in part, "While the biggest threat could sit between the keyboard and the back of the chair, so too could the biggest solution." Full post here:
http://blogs.cisco.com/news/comments/the_year_in_review_no_bailout_from_securitys_threat_landscape/

Posted by: JohnEarnhardt | December 15, 2008 12:52 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company