|
As P. T. Barnum might put it, there’s a sucker born every minute and a new net user every second. There is never a shortage of targets on a network of a billion users. And the criminals have developed new scams to trap the net-savvy who won’t fall for the old “click here to verify your account” email scam. Today, phishing schemes have gotten more sophisticated, and criminals have developed a “scam for every end-user.”
There are many cute names for these scams – pharming, vishing, spear phishing, whaling. Jargon makes it too easy to lose sight of the fact that tactics change, but money remains the motive. The truth is that there is no genuine Internet crime, or precious little of it.
Professional Internet crime is mostly bank fraud. The criminals attack the system at the weakest link – the customer or increasingly the customer’s home computer.
The criminals may take the direct approach and tell the user that they must go to a Web site and enter their username/password to “verify their account.” Or they may take a multiple step approach, directing the user to a page that attempts a drive-by download installation of malware.
Of even greater concern than the criminals themselves is the criminal underground, a marketplace where criminals trade stolen card numbers, technical information such as zero-day exploits and an increasing range of outsourced services. An Internet criminal does not need much technical knowledge any more. They can hire the services of outsourced spam senders and botnet managers, have bespoke hacking tools written for them, even hire the services of unwitting accomplices known as mules.
The ability to hire the services of mules is particularly worrying as the services they provide would be equally useful to drug dealers or terrorists. A “package-reshipping” mule receives goods by mail and sends them on to a specified address. In an Internet scam, the packages contain stolen goods bought with a stolen card number from an Internet store. But they might easily be any form of contraband; drugs, weapons, nuclear materials. Similarly the “money-mover” mule is engaged in what prosecutors call money laundering. The mule receives payments into their account and forwards the money, less their commission, to the criminals. In an Internet scam, the money is stolen from bank accounts the criminals have compromised, but the same services would be of great interest (and utility) to the terrorist or drug dealer.
Hollywood has it wrong: Civilization, or at least the power grid, is not going to be brought down by a single hacker mastermind working alone in a dark room. The hacker does not need to be a genius and does not need to work alone. The criminal Internet underground can provide all the tools and information they might need.
Tactical Responses
The early response to Internet crime was based on tactical approaches. A tactical response alleviates the symptoms but does little to solve the underlying problem.
Only a few of my customers come to me asking, “How do I stop Internet crime?” Instead, most ask, “How do I stop Internet crime affecting my business?” Reducing the fraud rate at one bank is relatively easy; simply make that bank a less attractive target to the criminals than the average.
The number of credentials a criminal can steal depends on the length of time that a capture site remains active. Banks can make themselves a relatively less attractive target by aggressively contacting the ISPs (or have an outsource service do this on their behalf) hosting capture sites to tell them to take them down. As the banks became equally effective in having the capture sites taken down, the criminals developed techniques to foil the takedown services, rapidly switching between hundreds of capture sites, a technique that is aptly named “fast-flux.”
Today, a much greater emphasis is placed on stopping the criminals making money. The criminals don’t really want credit card numbers; they want money. Cashing-out credentials is currently the most labor-intensive and riskiest part of the process. Stolen credit card numbers typically change hands on the Internet underground for a dollar or less, the average loss per card is more than a hundred times greater.
Banks now go to great lengths to recover money that has been taken fraudulently, even if the costs of recovery are considerably greater than the amounts recovered.
The fraud mitigation systems deployed by the banks have made it difficult for the phishing gangs to drain it using direct transfers by wire or through a jurisdiction with “opaque” banking laws. Consequently, the gangs will typically attempt to drain it through the services of a money-mover mule. The mule receives the stolen funds in their personal U.S. bank account that was the sole qualification the gang mentioned in their recruitment ad, then transfers it to the crooks by international wire.
When the bank from which the funds were stolen initiates recovery, the fraudulent transfers into the mule’s account will be reversed, but not the authorized transfers to their “employer.” The mule may be left with a debt of $50,000 or more.
Besides the return of the stolen funds, recovery denies the phishing gang the services of the mule. A phishing capture site hosted on a hijacked machine is easily replaced, but a mule is an accomplice and recruiting accomplices represents a considerable investment of time and money.
Recruitment of mules currently represents the bottleneck in the phishing-gang operations. The criminals who manage conversion of stolen cards into cash extract 99% of the value. Shutting down mule-accomplices is thus a highly effective means of reducing the criminal’s profits.
But better than shutting down mule-accomplices after recruitment is to prevent the gangs recruiting them in the first place. The gangs have absolutely no loyalty to the mules they recruit. Once a mule has been discovered, many gangs will use the information they gave when they applied for their job to apply for fraudulent loans in their name.
We need to raise user awareness of this side of phishing crime. Mule-accomplices risk ruined credit, bankruptcy and jail. The more people who are aware of the real nature of these “work at home” scams, the harder it will be for the criminal gangs to recruit and the less money they will make.
Strategic Response
Acting against the mule-accomplices is an example of a strategic response. Strategic responses are much more robust than tactical responses because they work to make the Internet a less permissive environment for crime.
We should hardly be surprised that social problems have emerged as the Internet has grown from a million users to over a billion in a little more than a decade. The Internet was originally designed to meet the communication needs of an academic research community. As several observers have put it, there was a perimeter security model: Only accredited researchers had access to the Internet machines.
What has attracted rather less attention than it should is that the early Internet also had accountability: Students knew that if they abused their access privileges they might have them revoked.
In the mid-90s the Internet was transformed from research network to today’s public Information Superhighway. The accountability mechanisms of the early Internet were gone with nothing to replace them. As a consequence, Internet abuse began to rise.
I believe that the key to turning the tide on Internet crime is to make the Internet a less crime-permissive environment by distinguishing the parts of the Internet where the user is assured of accountability.
The Internet has a million uses, only some of which involve risk and thus require accountability. Accountability is not required when researching facts online or looking up recipes. But accountability is required in commerce. A consumer can only have confidence in Internet banks and Internet merchants if they are accountable and face real consequences in case of a default.
Extended Validation Certificates are one tool that has been introduced to allow consumers to identify accountable Web sites. Contrary to the claims made by some, an Extended Validation (EV) Certificate does not guarantee that a plasma TV merchant has a ‘secure’ Web site, or that the TV you buy from them will work, or be delivered undamaged or that you will like it. All that an Extended Validation Certificate provides is an assurance that the identity of the merchant has been validated in accordance with a set of industry criteria developed by the CA/Browser Forum. These criteria were designed to assure accountability, that the merchant will face civil, or if appropriate criminal consequences if it defaults.
Extended Validation certificates work with the same tried and tested SSL security protocol as traditional digital certificates, but when used with a browser with EV support. They provide the user with a much more visible (and informational) indication of a secure connection to the site. The displays in IE7 and Firefox 3 are typical, in both cases the address bar turns green.
A key feature of all the EV browser displays is that the certificate issuer is also prominently displayed to the user. The purpose of this display is again accountability. Should a certificate issuer be consistently negligent so as to damage their brand, consumers will be less likely to trust Web sites that use these certificates and administrators less willing to buy them.
So far, Extended Validation Certificates have had a much greater effect on user behavior than expected. Internet merchants who have deployed EV Certificates have reported the number of abandoned shopping carts decreasing by as much as 8.6 percent, and some merchants have reported a 13 to 27 percent increase in sales.
The design of SSL when first deployed reflected the security approach of the day: It was all about getting the cryptography right and making sure that everything was end-to-end secure. Today we recognize that the real ends of Internet communications are people, not machines, and that we have for years neglected the problem of securing the last few feet between the user’s eyeballs and the screen.
Hopefully we will not have to wait long before the next improvement in the security user experience. In particular we should start making use of corporate logos to represent corporate identities. When receiving a letter from a bank we look for the logo on the letterhead, we need secure letterhead for the Internet and to apply it to every form of Internet communication: Web, email, instant messaging, VOIP. We already have the technical specifications, what we need to do now is to apply them.
Not Hopeless
Contrary to popular belief, the criminals are not smarter than the rest of us, they are not invincible and there is a lot we can do to reduce their activities.
There is no silver bullet for stopping Internet crime, but there is no shortage of ideas that could have a high impact. The problem has been how to put those ideas into action. Stopping Internet crime is going to be a huge task, one that will require many more people to become familiar with security issues even if they do not become security specialists. Reclaiming the net from the criminals is going to take a long time, but we are never going to finish unless we start. Below is a reference list of terms.
Jargon
Phishing: Theft of access credentials (credit card number, bank account username/password), traditionally refers to use of social engineering techniques but now used widely)
Pharming: A phishing attack in which the Domain Name System is compromised
Spear Phishing: A phishing attack directed against a narrowly chosen target
Whaling: A phishing attack directed against a specific, very high value target (e.g. CEO of large company)
Malware: Any form of malicious software, virus, worm, Trojan.
Drive-by Download: Software that uses a browser or operating system bug to install itself on a machine without user acceptance
Botnet: Network of compromised computers
Mule: Criminal accomplice hired to do a menial task with a high risk of arrest
- Phillip Hallam-Baker is Principal Scientist at VeriSign and author of The dotCrime Manifesto, an approachable introduction to the real problems of Internet crime. |
