Friday 10 September 2010

Computer crimes (Part 1)

This article is a very long one but one I feel is absolutely necessary to read. In reading it, you may save yourself the grief that victims of computer crimes have to endure because they didn’t take proper precautions to protect themselves and their computers from computer criminals.

We inhabit a world in which information is sought by those who either want information for the sake of entering the lives of other people or information which can allow one to enter the lives of unsuspecting people. In that sense, the virus is merely an old human desire masked in new clothes of technology.

Cyber crime and cyber terrorism has become a worldwide phenomenon affecting countries in so many ways even though the degree of its impact may vary from country to country. In the US and Europe, the impact of cyber crime has been great affecting insurance companies, financial Institutions, security agencies, and ordinary law abiding citizens.

Cyber crime consists of specific crimes dealing with computers and networks (such as hacking) and the facilitation of traditional crime through the use of computers (child pornography, hate crimes, telemarketing and Internet fraud). In addition to cyber crime, there is also ‘computer-supported crime’ which covers the use of computers by criminals for communication and document or data storage. While these activities might not be illegal in and of themselves, they are often invaluable in the investigation of actual crimes. Computer technology presents many new challenges to social policy regarding issues such as privacy, as it relates to data mining and criminal investigations.

There are many reports of alleged computer crime that has been a hot news item of late. Especially alarming is the realization that many of the masterminds behind these criminal acts are mere children. In fact, children no longer need to be highly skilled in order to execute cyber crimes. ‘Hacker tools’ are easily available on the Internet and, once downloaded, can be used by even novice computer users. This greatly expands the population of possible wrongdoers. Children (and in some cases, their parents) often think that shutting down or defacing Web sites or releasing network viruses are amusing pranks. Some children might not even realize that what they are doing is illegal. Still others might find themselves hanging out online with skilled hackers who share hacking tools with them and encourage them to do inappropriate things online. Unfortunately, some of these child hackers don't realize that they are committing crimes until it is too late. Even more distressing and difficult to combat is the fact that some of these children consider themselves merely as pranksters. Nothing could be further from the truth.

I expressed my concern about adults and children alike hacking into government computers and the dangers that are inherent with this kind of hacking when I addressed a United Nations conference being held in Vienna, Austria in 2000 in which its topics included computer hacking. I expressed my concerns about this world-wide problem to the 1,902 delegates from 137 nations attending the conference and in my speech, when I said in part;

"During the Gulf War, hackers stole information about the U.S. troop movements from U.S. Defense Department computers and tried to sell it to the Iraqis. In March 1997, a 15-year-old Croatian youth penetrated computers at a U.S. Air Force base in Guam. In 1997 and 1998, an Israeli youth calling himself "The Analyzer" hacked into
Pentagon computers with help from California teen-agers.

"Ten computer hackers who might spend several months making their preparations for the purpose of closing down most of the computers in any country or destroying the information programmed into the computers and when the precise moment arrived, they, acting in unison, could cripple an entire country as large as the United States, within 30 seconds. If the country's main computer's programs were destroyed at the same time, it could put that nation back into the dark ages for several years.

"We can spend billions trying to improve the security of our computers but when a twelve-year-old can get into the most sophisticated system, and wreak havoc upon thousands upon thousands of innocent victims half way across the world, then we have to try something else." unquote

I also explained to the delegates the four kinds of computer hackers that commit these crimes when I said in part;

"The first is the hacker who illegally slips into computers to change the data to meet his intentions, such as committing a fraud, altering facts or obtaining information he's not entitled to.

"The second is the hacker who does it because, and I will quote that famous mountain climber, Mallory, "Because it is there." He likes the challenge and although he doesn't want to do any harm, he can still unintentionally cause harm.

"The third kind of hacker is the amateur cyber-terrorist. He is the kind of person who illegally goes into computers for the purpose of destroying data, altering data that will have an effect on others, shutting down computer networks that can end up causing great havoc in any or in all parts of the world. He has no conscious. He simply doesn't give a tinker's dam who he hurts. He is addicted to one thing; power. He gets it by acting as a cyber-terrorist He is a nobody, who through his own efforts alone, can make his existence have meaning to him because his existence can have an effect on the lives of millions of people around the world.

"And finally the fourth kind is the professional cyber-terrorist He is the hacker who is hired to destroy whatever he can to wreak havoc on a nation." unquote

The results of the 2010 CSO Cyber Watch Survey, a cooperative effort between the U.S. Secret Service, Deloitte, the Carnegie Mellon Software Engineering Institute (CERT) and CSO Magazine, and a white paper from Deloitte’s New Center for Security & Privacy Solutions, Cyber Crime: A Clear and Present Danger found that the cyber crime-fueled underground economy continues to breed a sophisticated arsenal of damaging tools and devices (malware, botnets, anonymizers) and companies cannot keep pace or remain focused elsewhere. According to their White Paper;

"Threats posed to organizations by cyber crimes have increased faster than potential victims—or cyber security professionals—can cope with them, placing targeted organizations at significant risk." unquote

Many organizations and individuals alike focus heavily on foiling hackers and blocking pornography while potential—and actual—cyber crimes may be going undetected and unaddressed. This has generated significant risk exposure, including exposure to financial losses, regulatory issues, data breach liabilities, damage to brand, and loss of client and public confidence and the victimization of children.

The investigation of computer crimes differs considerably from those of other ‘traditional’ offenses. The study of criminal cases shows that the low investigation results from the lack of systematized and thoroughly worked procedures of investigating computer crimes, as well as mistakes made during investigating actions with respect to computer information or computers themselves.

The most difficulty investigators will face will be to establish the fact that a computer crime has been committed because its external evidences are less visible when compared with a grocery robbery. In fact, there is rarely visible material damage seen when computer crimes are committed. For example, an illegal copying of information remains undetected and the introduction of viruses is viewed as a simple mistake made by a user that could not ‘catch’ it when communicating with the outer computer world.

The exposure of computer crimes is quite low because of the complexity of hardware and software. Moreover, the victims are often not in a hurry to appeal to law enforcement bodies as it could result in bad publicity. The refusal of the victims to proceed against the offenders with criminal prosecution can result in the lack of general deterrence thereby encouraging the other criminals of the same ilk to try their hand at committing computer crimes. Sometimes the guilty persons are dismissed or transferred to other divisions of their organizations without going to jail.

Banking officials have been known to carefully conceal hacking crimes committed against their bank’s computers when they discovered the invasion of their computers because it can damage the bank’s prestige which could result in the banks losing clients. Some businesses are afraid of serious, thorough investigations into the hacking into their computers because it can reveal that there might be an improper or even illegal activities recorded in their computers. They often fear that insurance companies will increase insurance payments or refuse to renew their insurance policy if computer crimes are regularly committed at their company. Firms that have been victimized because their computers have been hacked into may feel compelled to turn down an investigation into the crime because of them having to disclose in open court their financial and other business secrets.

Commercial activity’ crimes are traditionally measured with minutes, hours, days and weeks, whereas automated system’ offenses are measured with split fractions of a second which makes them that much harder to detect.

Sometimes organizations and businesses do not want to increase their losses by adding investigation costs. Exposed computer criminals in many countries are known to get off with small penalties (often with suspended sentences). This lack of tougher sentences compels the victims not to report a computer hacking incident to law enforcement agencies.

The average citizen perceives a hacker as a very clever and interesting person whereas a company that is a victim of a computer hacker is thought of as being outright stupid. For this reason, not everyone sheds tears for business firms that have suffered from computer crimes. One can appreciate why such victims do not hasten to make a laughing-stock of themselves for being so foolish by making it possible to let a hacker get into their computer system. The victims often deny the existence of a computer theft-type crime because of the bad publicity that will follow when the crimes becomes public.

Sometimes computer crimes are exposed by chance. One day an official from the computer center working some oil companies noticed that a client’s read indicator had been turned on for a long time before the record LED was lighted. The investigation showed that this man had been engaged in industrial espionage and sold company data to its rivals.

There can be no doubt that a good inspector who is knowledgeable in the operation of computers and the investigation of computer crimes should be a perfect programmer or at least know about the use and possibilities of electronic computers. Unfortunately, there are not many such specialists among programmers let alone inspectors.

It is however, an erroneous opinion that the investigation of computer crimes is incredibly difficult and the investigations should only be done by the elite in computer sciences. There are some factors that can actually simplify an investigation. Among them is a strictly limited circle of persons who have access to the computers. From that small group, the persons who are disposed to committing such a crime may be easier to find. In fact, there are much more people capable of destroying a receiver in the public phone booth than those hacking into a computer and inventing and spreading computer viruses. Often the investigations of crimes connected with an illegal using of information computer systems show that most of those offenses were perpetrated by authorized persons that knew quite well the system-operating mode and could take it to their mercenary advantage.

Computer crimes are difficult to expose because there are often no correct anti-theft programs installed and for this reason, criminal attempts can be easily masked under the guise of computer malfunctions or errors.

Some of the most notorious computer crimes have involved computer viruses, such as the Melissa virus that appeared on the Internet in March 1999 and infected systems in the United States and Europe, and the February 2000 distributed denial of service (DDS) attacks on several leading commercial Web sites including Yahoo!, E*Trade,, and eBay.

In 2008, a virus had been infecting popular social networking sites MySpace and Facebook. On Facebook, the virus was causing email messages to be sent to people on ‘friends’ lists asking them to watch a video supposedly on YouTube. The user had to download what purported to be a plug-in to watch the video. The plug-in was actually a virus. A malicious code can be hidden in such applications. The e-mail message appeared to come from a friend. According to tech expert Marc Saltzman, “Even when you go to the fake site, it had their name and profile picture right on the site, so you really believed it.” The virus had affected thousands of sites among Canadian users.

Online social networking websites are playgrounds for hackers who can easily take advantage of people's trust. People are prone to place faith in social networking widgets and links from friends. Every time they open the message, they are showing an implicit trust in whoever wrote the application, and most people don't know who it even is." Opportunities for mischief abound as users place intimate details of their lives on profile pages and install mini-applications made by strangers that don't always have their privacy at heart. Another ruse is to create social networking profiles for people using information mined from the Internet and then for the imposters to send out "friends requests." Those that take the bait give open doors to the private data in their profiles.

Fake postings on comment boards advising people to update software are ways in which to trick social network users into downloading malicious software that can commandeer control of their computers.

Fighting computer technology crimes in an effective way depends on an optimum combination of legal and preventive measures, laborious work on improving criminal laws and elaborating norms that establish the liability for committing cyber crimes and pressing charges against offenders who abuse the trust given to them by their employers.

Cyber-crimes are frequently grouped into three categories. The first are those in which the computer comprises the ‘object’ of a crime and in which the perpetrator targets the computer itself. This includes theft of computer processor time and computerized services. The second category involves those in which the computer forms the ‘subject’ of a crime, either as the physical site of the offense or as the source of some form of loss or damage. This category includes viruses and related attacks. Finally, the third category includes those in which the computer serves as the ‘instrument’ used to commit traditional crimes in cyberspace. This encompasses offenses like cyber-fraud, online harassment, and child pornography.

Though teenage hackers and underage, e-fraud perpetrators have captured headlines, no such typical cyber-criminal exists. Perpetrators commit cyber-crimes for a variety of reasons. Motives range from a desire to showcase technical expertise, to exposing vulnerabilities in computer security systems, retaliating against former employers, or sabotaging government computer systems. Some of the kinds of clients that private investigators may be called upon to help are;

1. Parents who suspect that their children are getting into Internet sites that they shouldn’t be;
2. People who suspect that their computers are being hacked and altered;
3. Employers who suspect that an employee is getting into sites that he shouldn’t be doing on company time;
4. Couples that suspect that their spouses are using the computer to create or access child pornography;
5. Business people who suspect that their confidential information stored into their computers is being seen by hackers.
6. Firms whose financial records are being altered by hackers.
7. People who receive threatening messages on their computers

Here are some of the crimes that the cyber-criminals do.

Money laundering
Identity theft for fraudulent purposes
Document forgery
Extortion through blackmail
Sabotage of computer systems
Social engineering
Child pornography
Drugs trafficking

You may wonder why a private investigator will be called in to deal with these problems on behalf of his clients. As you get further into the descriptions of these computer crimes, you will see why.

Money laundering happens in almost every country in the world, and a single scheme typically involves transferring money through several countries in order to obscure its origins. Obviously criminals cannot disclose the fact that they have obtained money from the crimes they commit so simply putting the money in their bank accounts is out of the question since any single deposit that is larger than $10,000, the depositing bank has to inform the government of the transaction. If a criminal has ten million dollars he wants to deposit in a bank or even in a series of banks, making deposits of less than $10,000 would be all too time consuming and needless to say, a multitude of such deposits over a short period of time would raise eyebrows in the wrong places.

Money laundering, at its simplest, is that money that comes from one source looks like it comes from another source. In practice, criminals are trying to disguise the origins of money obtained through illegal activities so it looks like it was obtained from legal sources. To do otherwise would mean that they couldn’t use the money because it would connect them to the criminal activity and that’s when the law-enforcement officials would seize it.

The legal definition of money laundering has been expanded to include making a financial transaction in order to commit a violent crime, the bribery of public officials and fraudulent dealing with public funds; the smuggling or illegal export of controlled munitions and weapons.

What follows is a case where money launderers were caught by an American sting.

In the late 1980s, American DEA agents posing as money launderers infiltrated the U.S. branch of the Colombian drug-smuggling cartel. Over time, the undercover cops won the confidence of cartel higher-ups through efficient, discreet service. They obtained unprecedented cooperation from authorities in Panama, where many of the drug cartel’s ill-gotten gains were traced. Besides netting hordes of drug traffickers, the coolly efficient agents showed a profit. Operation Pisces (as it was called) was run by the DEA and it made $4.3 million in money-laundering commissions before the DEA wrapped up the operation. It was the largest and most successful undercover ploy in federal drug law enforcement history. Acting simultaneously in Los Angeles, Miami and New York City, U.S. Drug Enforcement Administration officials reeled in some 80 smugglers, dealers and middlemen, and issued arrest warrants for about 35 more. An additional 351 people had already been nabbed on the basis of tips from the three-year operation. About $49 million in cash and property, along with 19,000 lbs. of cocaine with a street value of $270 million or so, was also seized.

Cyber crime comes in many forms, whether it is phishing, (The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft) Nigerian scams, fraudulent cheques or money order scams, and much more. In all cases, money changes hand, and it needs to be funneled back to the scammers in a way that will hide its origins. To this end, the scammers recruit often unsuspecting people who are a bit naive, unscrupulous and often greedy. The offer normally comes in the form of someone being an agent for a company, collecting payments and sending them. By using many of those money mules, the effect is distributed over many individuals making it hard for law enforcement to trace it.

Money mules (innocent dupes) typically are recruited via spam or targeted e-mail. The recipient is often told the potential employer found her resume on and would he or she be interested in working a small number of hours per week to make anywhere from hundreds to thousands of dollars a week. The company usually represents itself as some kind of international finance operation or shipping company. In reality, most are fronts for cyber crime operations that are desperately seeking a constant stream of new recruits to help launder the proceeds of phishing scams and password-stealing computer viruses.

For example, money mules have helped to generate profits for the individual(s) behind some 15 separate, targeted malicious software attacks last year that came disguised as e-mails from the Better Business Bureau, according to iDefense, a security firm owned by Verisign. In those scams, the fraudsters sent virus-laden e-mails to tens of thousands of individuals whose resume and contact information were stolen in a previous compromise of a job-seekers database.

There were several components of this attack, which included installing malicious code and stealing credentials, and the money mule component really helped the criminals pull the two together. The problem that all these scammers face is they have two options for monetizing stolen credit cards and bank account credentials: They can either sell it in bulk, or recruit people to help them pull money out of the accounts.

Many of the duped mules know that what they're doing is illegal, but they play along because they think they can pull one over on the scammers. Scammers have picked up on this, and in some cases have dropped all pretense of being a legitimate employer.

There was a strong link between money mule recruiters and phishing and computer virus writing gangs. Money mule recruiters also found an ally in one of the more prolific families of malicious software, an e-mail based Trojan-horse program known as the ‘Storm worm.’ For the first nine months since its inception in January 2007, the millions of Storm-infected PCs were used mainly to blast out spam used for stock market scams.

All of the messages directed interested recipients to sign up at various online forums. Some were traditional money mule come-ons that tried to maintain a veneer of legitimacy, while other campaigns sought to play on another class of money mule recruits: The greedy who understand full well that they are aiding criminals but nonetheless believe they can reap a share of the profits.

One of the messages sent over the Storm network targeted this group specifically, was straight and to-the-point, with a subject line that read, "Work as a middle man for $8000/month." The rest of the message suggested the criminals' ability to enjoy the benefits of their bounty was limited only by the size of the money mule pool. The message went on to say; "We have large amount of funds on numerous bank accounts which needs to be laundered. We need your help to do that. You'll get 10% of each transaction coming into your bank account."

The number of people who received those solicitations and signed up to become money launderers was staggering. There were dozens of pages of people who offered their name, phone number, home, e-mail address and yes, even their bank information.

If large sums of money was suddenly deposited to your bank, deposits that you couldn’t really explain, money that would be there for a very short time before it was siphoned out by the criminal and sent to another bank somewhere else in the world, you would have a hard time explaining to the authorities where all that money came from and where it went and most importantly, why it was in your account in the first place.

Years ago, my bank account was receiving $8,000 each month for several months. I had no idea where it was coming from. I left it in the account and contacted the manager and told him that I thought the money was being laundered into my bank account. He looked into it and discovered that at another branch of the bank, a customer was given the same account number as mine by mistake and he was depositing the money into his account not knowing that it was also showing up in the bank records of my account. It’s a good thing that he was merely depositing money into his account and not withdrawing money from it because the withdrawals would have come from my bank account.

Identity theft is a form of fraud in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name. The victim of identity theft (meaning the person whose identity has been assumed by the identity thief) can really suffer adverse consequences if he or she is held accountable for the perpetrator's actions. Organizations and individuals who are also duped or defrauded by the identity thief can also suffer adverse consequences and losses, and to that extent, they too are also victims.

The identity thief impersonates someone else in order to conceal their own true identity. Examples might be illegal immigrants, people hiding from creditors or the police. They can also be those who simply want to become ‘anonymous’ for personal reasons. Unlike identity theft used to obtain credit which usually comes to light when the debts mount, concealment may continue indefinitely without being detected, particularly if the identity thief is able to obtain false credentials in order to pass various authentication tests in everyday life. Where the problem for the innocent victim becomes really bad, is when the identity thief obtains a passport or driver’s licence in the name of his victim.

It can be difficult for the victim of a criminal identity theft to clear the criminal record that he has unfortunately inherited. The steps required to clear the victim's of an incorrect criminal record depends on what jurisdiction the crime occurred in and whether the true identity of the criminal can be determined. The victim might need to locate the original arresting officers and prove their own identity by some reliable means such as fingerprinting or DNA fingerprinting, and may need to go to a court hearing to be cleared of the charges. Obtaining an expungement of court records may also be required. Authorities might permanently maintain the victim's name as an alias for the criminal's true identity in their criminal records databases.

In August 2008, the U.S. government has charged 11 people with stealing tens of millions of credit and debit card numbers from nine major U.S. retailers, including the parent company of Canada's Winners and HomeSense stores. It was one of the largest reported cases of its kind. The charges relate to the theft of more than 40 million credit and debit card numbers. Hardest hit was Framingham, Mass.-based TJX Cos., which owns Winners and HomeSense in Canada, along with Marshalls' and TJ Maxx outlets in the U.S. Other affected retailers included BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc.TJX acknowledged in March 2007 that information from 45.7 million credit and debit cards was stolen from its computers. The ring, which authorities said was headed by a Miami man named Albert Gonzalez, hacked into the retailers' computer networks to capture the numbers, which were then stored on computer servers in the United States and Eastern Europe. Members of the ring then sold the information to people in the U.S. and Europe, who used it to withdraw tens of thousands of dollars at a time from automated teller machines.

In March 2008, a New Zealand teenager pleaded guilty for leading an international cyber crime network. When the case first emerged in November 2007, police said that the teenager had led a ring of computer hackers that infiltrated more than one million computers worldwide and skimmed more than $20 million from their victims. The hackers assumed control of the million computers by infecting them with software that allowed them to be used to collect data on their victims.

The ‘C. Rufus Security Team’ was actually a loosely agglomerated group of provocateurs who likely created ‘Ghost Rat’ for kicks in 2009. Then they made it available to anyone on the Internet, including cyber spies and high-tech gangs who wanted to use it to take control of all PCs around the world. Once the Ghost Rat was fully operational (and no one would really notice it) it could pull data off everyone’s computer system. It was so easy to use that anybody with a smidgen of technical know-how could use it against high-level government computer systems and even home computers. Emails designed to be relevant to an intended victim were crafted. They included attachments. Once opened, the attachments unleashed the Ghost Rat. In a two-stage process, the Ghost Rat gained control of the victimized computers. Once in, it mined the user's address book to send more emails in the form of replies to friends or colleagues of the victim.

Most cyber criminals aren't interested in gaining active control of a PC. They're happy to mine it for credit card numbers or bank passwords gleaned by deeply embedded malware (malicious software) in home computers.

In August 2009, a Miami man who on occasion, used the alias ‘soup Nazi’ faced charges in what prosecutors describe as the biggest U.S. case of credit and debit card theft. Albert Gonzalez and two unnamed Russian hackers living in Newark, New Jersey were charged with conspiracy, theft and fraud for allegedly infiltrating merchandiser networks to steal data on about 130 million customers which included scores of Canadian cardholders who were also their victims. Starting in October 2006, the trio conspired together in scanning the list of Fortune 500 companies to select prospective targets and then they sought out vulnerabilities in their online consumer systems. They would steal account data in order to sell it to other parties intent on making fraudulent purchases or unauthorized bank withdrawals, the indictment added. The trio employed numerous techniques to hide their hacking efforts and data breaches, including the use of ‘proxy’ computers. (computers that are chosen at random from ordinary people)

Part 2 will be published in a few days.

No comments: