what constitutes a crime?
what crime is more serious than another?

both questions of great magnitude that i fear to even begin and approach in this blog. still, whatever the answer is there is one thing i am sure of; it isn’t black and white.

in the changing world we live in with constant revolutions of a grand magnitude happening continually, with a global economy, internet society and many others, we all try and cope. our world is used to a major revolution in our way or life and how we think once every few dozens to hundreds years, allowing us time to adjust.

in today’s world we no longer have that luxury.

i often struggle with how law enforcement today operates. organizations whose business it is to keep the public safe are years behind on what’s actually going on. where they are not behind they often face policy from above that tells them not to work on “cyber”-issues (i hate “cyber-”) as there are far more pressing matters about.

that policy is correct. catching murderers and rapists is by far more critical than catching the kid next door in his latest “computer prank”. plus, petty theft is something the public cares about. “hackers”.. well. we are often proud of our overly intelligent kids and the feats the accomplish.

as i already said though - nothing is ever black and white unless it is how we view it. online crime is no longer about kids. it is not a bored employee who hates his boss and tries to hack the company’s servers after-hours. online crime is a business.

much like with every other society, the “attacker” may be a bored kid, a disgruntled employee or a small-time criminal. the “attacker” can also just as easily be the mob, a competing company (industrial espionage) and maybe even a nation.

who owns a gun in our world? who owns a gun in the “cyber-”world? the comparison is very acute.

today, this is not just fud. internet crime is no longer (only) about kids trading bots like candy. today it is about organized crime taking over and investing vast amounts of money in r&d of both their /technological/ and /operational/ capabilities.

we often do not see behind the scenes, but if we do take a few choice cases -
1. the israeli trojan horse scandal, where leading companies hired private investigation firms to spy on their competition using trojan horses. the price-tag was 17k uk pounds per computer being tapped, per month.
2. google it, but there were similar cases discovered in the last 6 months in both the uk and the us.

i’ve personally been approached about doing such illegal “thingies” two times, thus far. once by a middle-man and once by the ceo of a global private investigation firm. i didn’t take the jobs but it is pretty obvious that “hidden” world is very much alive. we just don’t hear about it _very_ often.

what we do hear about, see and get annoyed by every day is phishing. it is public and might give us some sort of an indication to what this is all about.

the apwg reports thousands on thousands of new unique phishing sites every month. losses from phishing in the us amount to 10-20 million usd for some banks.

in germany, there is a phishing attack every few days by several different scammer groups. in each such attack about 2000 people get fooled and about 6 people do not get their money back (banks are very good at moving money around).
on average, about 6k euro are lost per person. that’s 1.2 million euro per year, for one group. these numbers keep increasing.

it is estimated that globally, in the first half of 2005 roughly half a billion usd were lost for scammers from phishing alone.

all these numbers do not include damages, recovery and money paid for prevention.

what does this mean?

it means there is clear-cut roi (return on investment - bahh, management talk) to the bad guys. they are not going to stop as long as the economics of it are in their favor and the only way to change the economics is to make it not worth their while.
today they do not take much of a risk though, do they?

a second important point is that indeed, this is no longer just an online issue. money is real. the attackers are not bored kids, they are more often than not the russian mob.

as an example for a meat-space connection; earlier this year a woman got her account cleaned up at a branch of her bank in the west coast, following her account details being phished.
a week later a fedex package came in to a different branch of the bank - in the east coast.
that package held a fake check meant to re-fill that account.

law enforcement has made incredible improvements in both ability and willingness to cope with online issues, especially these past two years. still, they are under-staffed, often burdened by handling computers for meat-space cases over actual “cyber-” cases and the policy guys upstairs still do not see the problem for what it is.

that’s it in a nutshell. next time, as time allows, maybe we will go into what actually gets done, who the players are and where we are all headed.

gadi evron,
ge@beyondsecurity.com.

-

Is your site safe from XSS Attacks? Use Active Network Scanning to protect your network!