SAN JOSE, CALIF.: Dec. 25, 2007 Somewhere in St. Petersburg, Russia’s second biggest city, a tiny startup has struck Internet gold. Its dozen-odd employees are barely old enough to recall the demise of the Soviet Union, but industry analysts believe they’re raking in more than $100 million a year from the world’s largest banks, including Wells Fargo and Washington Mutual.
Their two-year rise might be the greatest success story of the former Eastern Bloc’s high-tech boom — if only it weren’t so illegal. The cash might be coming from your bank account, and they could be using the computer in your den to commit their crimes.
The enigmatic company, which the security community has dubbed ”Rock Phish,” has rapidly grown into a giant of the Internet underground by perfecting a common form of Internet crime known as ”phishing.” The thieves capture people’s personal computers, then use them to send phony e-mail that tricks other users into revealing private financial information.
”Rock is the standard. They’rethe Microsoft,” said Jose Nazario, a researcher at security company Arbor Networks. ”Everyone else is a bit player.”
As big as Rock Phish has become, though, it is a sliver of a much larger problem.
During the past few years, a professional class bent on stealthy online fraud has transformed Internet crime, rendering obsolete the hobbyist hackers who sought fun and fame. These Al Capones of the information age are like ghosts in our Web browsers, silently taking over our computers, stealing digital bits and turning our data into cash.
They’ve created a sophisticated cyberspace shadow economy, which government and research firms estimate costs us tens of billions of dollars annually. The crimes themselves, and their staggering effect on our wallets, are disturbing. Yet the greater concern is the failure of corporate executives, government leaders and average citizens to comprehend the mounting threat and fight back.
”People talk about a ‘Digital Pearl Harbor,’ but that’s already happened,” said Rick Wesson, chief executive of Support Intelligence, one of many companies in the California area known as Silicon Valley battling these cybercriminals. ”It’s just that people don’t understand it has happened.”
Snowballing problem
Organized online crime didn’t appear out of nowhere — security experts have been tracking its growth for years — but by almost every measure, it’s exploding: The number of new pieces of malicious software, or ”malware,” tripled in the first half of this year compared with the previous six months, according to computer security company Symantec. And the number of phishing Web sites spotted in the first three months of 2007 by security software maker McAfee skyrocketed 784 percent compared with the year before.
These attacks cost real people real money — individual Americans lost at least $200 million last year to online fraud — and that’s just the people who took the time to report their misfortune to the FBI’s Internet Crime Complaint Center. Those 200,000 cyberfraud victims said they were swindled out of an average of $724 — an amount small enough to discourage individual reporting and to help keep Rock Phish relatively hidden.
Businesses are hit even harder: Average annual losses doubled to $345,000 per company in the 2007 Computer Security Institute survey. A 2006 FBI estimate pegged the total cost of cybercrime to businesses at more than $67 billion.
These statistics exclude a variety of additional, indirect costs to U.S. citizens: higher retail prices and banking fees, declining stock values, lower wages and decreased tax revenue.
None of the figures is perfect. Security vendors, research firms and law enforcement all have an incentive to inflate the numbers when it might mean increasing sales, visibility or funding. At the other extreme, businesses like banks are motivated to play down the problem. Yet the general trend is clear to almost everyone who has studied Internet security: Cybercrime is pervasive, and getting worse.
”The volume in absolute numbers is going through the roof,” said Mark Harris, global director of SophosLabs, the research unit of British security vendor Sophos. ”We’ve simply stopped counting.”
Their two-year rise might be the greatest success story of the former Eastern Bloc’s high-tech boom — if only it weren’t so illegal. The cash might be coming from your bank account, and they could be using the computer in your den to commit their crimes.
The enigmatic company, which the security community has dubbed ”Rock Phish,” has rapidly grown into a giant of the Internet underground by perfecting a common form of Internet crime known as ”phishing.” The thieves capture people’s personal computers, then use them to send phony e-mail that tricks other users into revealing private financial information.
”Rock is the standard. They’rethe Microsoft,” said Jose Nazario, a researcher at security company Arbor Networks. ”Everyone else is a bit player.”
As big as Rock Phish has become, though, it is a sliver of a much larger problem.
During the past few years, a professional class bent on stealthy online fraud has transformed Internet crime, rendering obsolete the hobbyist hackers who sought fun and fame. These Al Capones of the information age are like ghosts in our Web browsers, silently taking over our computers, stealing digital bits and turning our data into cash.
They’ve created a sophisticated cyberspace shadow economy, which government and research firms estimate costs us tens of billions of dollars annually. The crimes themselves, and their staggering effect on our wallets, are disturbing. Yet the greater concern is the failure of corporate executives, government leaders and average citizens to comprehend the mounting threat and fight back.
”People talk about a ‘Digital Pearl Harbor,’ but that’s already happened,” said Rick Wesson, chief executive of Support Intelligence, one of many companies in the California area known as Silicon Valley battling these cybercriminals. ”It’s just that people don’t understand it has happened.”
Snowballing problem
Organized online crime didn’t appear out of nowhere — security experts have been tracking its growth for years — but by almost every measure, it’s exploding: The number of new pieces of malicious software, or ”malware,” tripled in the first half of this year compared with the previous six months, according to computer security company Symantec. And the number of phishing Web sites spotted in the first three months of 2007 by security software maker McAfee skyrocketed 784 percent compared with the year before.
These attacks cost real people real money — individual Americans lost at least $200 million last year to online fraud — and that’s just the people who took the time to report their misfortune to the FBI’s Internet Crime Complaint Center. Those 200,000 cyberfraud victims said they were swindled out of an average of $724 — an amount small enough to discourage individual reporting and to help keep Rock Phish relatively hidden.
Businesses are hit even harder: Average annual losses doubled to $345,000 per company in the 2007 Computer Security Institute survey. A 2006 FBI estimate pegged the total cost of cybercrime to businesses at more than $67 billion.
These statistics exclude a variety of additional, indirect costs to U.S. citizens: higher retail prices and banking fees, declining stock values, lower wages and decreased tax revenue.
None of the figures is perfect. Security vendors, research firms and law enforcement all have an incentive to inflate the numbers when it might mean increasing sales, visibility or funding. At the other extreme, businesses like banks are motivated to play down the problem. Yet the general trend is clear to almost everyone who has studied Internet security: Cybercrime is pervasive, and getting worse.
”The volume in absolute numbers is going through the roof,” said Mark Harris, global director of SophosLabs, the research unit of British security vendor Sophos. ”We’ve simply stopped counting.”
The Internet has handed postmodern swindlers an endless supply of marks, and cheap tools to attack millions with a single click.
In phishing, one of the most successful scams, people are tricked into revealing their passwords and other account information by phony e-mail that purports to come from banks. Cybercriminals then use that information to pilfer money. The first such schemes hit America Online members a decade ago. The attacks then spread to e-mail, targeting eBay and banks. Before long, Americans were getting phished by the thousands.
How they fool you
Some people are lured to visiting Web pages containing malware, either by inadvertently visiting infected sites or by clicking on an e-mailed link. There, a pixel-size frame, invisible to the user, stealthily installs code onto the computers of visitors lacking the latest Web browser security updates. Most users have no idea such a ”drive-by download” has taken place, even as these Trojan horses surreptitiously log their banking passwords or other private information.
Criminals are increasingly hiding this malware within apparently safe sites. Last year, Circuit City acknowledged its customer-support site had been hacked and was serving up dangerous code, allowing hackers to take control of visitors’ PCs.
In an April research paper called The Ghost in the Browser, a Google security team led by Niels Provos described a digital hunt through billions of Web pages searching for malicious sites. Using a process Provos calls ”conservative,” the team identified more than 450,000 Web pages that included malicious code, and 700,000 that ”seemed” dangerous. Google says the numbers are now much larger.
Even the least technical crooks can launch phishing campaigns or control a network of millions of hacked computers at the touch of a button, by purchasing do-it-yourself cybercrime kits.
For about $1,000 on underground sites, you can buy MPack, a full-service malware attack and distribution kit, which lets you host a Web page that infects any user who visits. Owners can even monitor the number, type and location of infections from MPack’s handy console page.
Worldwide epidemic
Dave DeWalt stood beneath the massive mounted television screen in April, staring at thousands of dots as they flickered across the continents of a digital world map. Each represented a real-time cyberspace attack: green for dozens of spam e-mails spewed out in the past six hours, amber for hundreds and red for more than 500 sent.
In phishing, one of the most successful scams, people are tricked into revealing their passwords and other account information by phony e-mail that purports to come from banks. Cybercriminals then use that information to pilfer money. The first such schemes hit America Online members a decade ago. The attacks then spread to e-mail, targeting eBay and banks. Before long, Americans were getting phished by the thousands.
How they fool you
Some people are lured to visiting Web pages containing malware, either by inadvertently visiting infected sites or by clicking on an e-mailed link. There, a pixel-size frame, invisible to the user, stealthily installs code onto the computers of visitors lacking the latest Web browser security updates. Most users have no idea such a ”drive-by download” has taken place, even as these Trojan horses surreptitiously log their banking passwords or other private information.
Criminals are increasingly hiding this malware within apparently safe sites. Last year, Circuit City acknowledged its customer-support site had been hacked and was serving up dangerous code, allowing hackers to take control of visitors’ PCs.
In an April research paper called The Ghost in the Browser, a Google security team led by Niels Provos described a digital hunt through billions of Web pages searching for malicious sites. Using a process Provos calls ”conservative,” the team identified more than 450,000 Web pages that included malicious code, and 700,000 that ”seemed” dangerous. Google says the numbers are now much larger.
Even the least technical crooks can launch phishing campaigns or control a network of millions of hacked computers at the touch of a button, by purchasing do-it-yourself cybercrime kits.
For about $1,000 on underground sites, you can buy MPack, a full-service malware attack and distribution kit, which lets you host a Web page that infects any user who visits. Owners can even monitor the number, type and location of infections from MPack’s handy console page.
Worldwide epidemic
Dave DeWalt stood beneath the massive mounted television screen in April, staring at thousands of dots as they flickered across the continents of a digital world map. Each represented a real-time cyberspace attack: green for dozens of spam e-mails spewed out in the past six hours, amber for hundreds and red for more than 500 sent.
DeWalt was inside a corporate laboratory in Aylesbury, England, roughly 5,000 miles from the headquarters of Mc-Afee, which he had recently joined as chief executive. Mc-Afee researchers had narrowed down to a one-mile radius the locations of computers hurling out e-mail to swindle, scam or make life miserable for Internet users.
Dots appeared inside university dorms, popped up across the Middle East, swarmed through Eastern Europe. In more than 20 years in the tech industry, DeWalt had never seen anything like it. He began to understand something few Americans — even at the highest levels of government, business and academia — are able to grasp: the complex reality of the omnipresent cybercrime crisis, spreading worldwide, from Silicon Valley to Southeast Asia.
”I came into McAfee not knowing what was going to hit me,” DeWalt said. ”It’s becoming an epidemic.”
This plague of online crime isn’t just chaotic wrongdoing on a mass scale — it has coalesced into an interconnected industry that runs the gamut from virus writing to money laundering. Seemingly separate attacks like spam, phishing scams, viruses and Trojans, botnets and data breaches are the ugly Hydra heads of a single, complex beast that functions much like a legitimate market.
An organized crime syndicate might buy a trove of e-mail addresses culled from a data breach; spam e-mail with a Trojan attached; absorb recipients’ computers into a ”botnet” that it rents out to a phishing group, which sends its own e-mails purporting to be from a major bank, asking users to log onto sites hosted on a different botnet; and then steal money from those accounts and launder them through mules, with everyone taking a cut of the proceeds.
Not even Rock Phish stands alone — evidence points to links between these phishers and the Russian Business Network, an Internet service that plays host to several cybercriminals, according to anti-cybercrime detectives at VeriSign iDefense, as well as other researchers.
The online crooks are constantly bartering, buying and renting from one another, just as Microsoft and Google rely on other tech companies for the products and services that keep their corporations functioning.
Not even Rock Phish stands alone — evidence points to links between these phishers and the Russian Business Network, an Internet service that plays host to several cybercriminals, according to anti-cybercrime detectives at VeriSign iDefense, as well as other researchers.
The online crooks are constantly bartering, buying and renting from one another, just as Microsoft and Google rely on other tech companies for the products and services that keep their corporations functioning.
EMAIL US! Send Us News, Comments, Questions
COME SEE OUR MYSPACE PAGE! myspace.com/privateofficernews
ADD YOURSELF TO OUR FRIENDS!
