Is the Mob Controlling Your Computer?

Organized crime has had its fingers in criminal activity on the internet for some time, but until about two years ago most of its activity was limited to obvious scams, pornography and gambling. But in the past two years the rapid growth in organized crime in Eastern Europe and a huge increase in sophistication has jumped organized crime on the internet from an irritation to a serious problem.

How is this happening? The basic reason is that almost half all computer users connected to the internet have no or ineffective security protecting themselves and their systems while they web browse or even when using email. That doesn't even take into account new threats spreading into instant messaging, VoIP and even cell phones.

Estimates of losses from internet and other computer-related fraud in the UK alone are over $4 billion annually. And the losses come in all forms – from small sums scammed out of people via email up to blackmail, extortion and outright theft of very large sums from large corporations. Some of these attacks come with collusion or inadvertant access inside organizations to secure systems, but most come from some form of trickery that exploits naïve and insecure practices in all kinds of ways. And because of the embarassment, many of these frauds go unreported.

First up, WHAT criminals are up to - the top types of internet, telephony, email and credit card scams.

Top Scams

1: Credit card and telephony billing fraud. Example: The Gambino family telephony scam – a couple of telephony company executives organized a billing fraud for credit card and telephony services and a related internet pornography ring on behalf of the Gambino family – that netted over $500 million over a five year period.
Reference 1 , Reference 2

2: Nigerian (and Eastern European and Indonesian and...) scams – if you never received a Nigerian scam email you have probably never received email at all – that's how much of it there is – now also known as a 419 scam after the Nigerian anti-fraud law code.
Reference 1

3: Phishing – typically an email supposedly from a bank or credit card company or anyone that has an online financial account that tries to tempt you to log into a site that LOOKS like the real site but is really just a way to watch and capture your account information. These have gotten much more sophisticated and just this past week a kit was made available online to help criminals automatically build sites that transparently pass the data on to the real site and that report that they are the real site – making it even harder to detect the fraud. More recently VoIP and IP Phishing scams have become more prevalent.
Reference 1

4: Zombies – these can be a really subtle scam – you may never even know that you were involved. In this scam your PC is taken over subtly to help run almost every other form of scam. A piece of code gets run on your computer – and it sets itself up as one of a big network of computers (aka a botnet) that hackers have taken over. Once it gets activated, the zombie computer gets used to deliver spam or to infect other computers or to install keyloggers or other malware or even distributed denial of service attacks – then at some later date it just gets turned off again until another time.
Reference 1

5: Extortion – this is one of the big time mob moneyspinners. They infect computers with zombies – often paying unscrupulous hackers something like 20 cents per infected PC – until they have many thousands of infected computers – and then they block access to a major site by having all those zombie PCs access it simultaneously. Depending on circumstances they deliver an extortion demand before or after the attack. This technique has been used successfully against offshore gambling sites and with mixed success against all kinds of other sites. Demands are typically kept in the $50,000 range to make it easy for companies to pay rather than lose business.
Reference 1

6: Wifi Spying and Packet Sniffing – sure it's fun to kick back and surf the web at Starbucks or the local library. But as David Pogue of the New York Times has illustrated, it is incredibly easy for any hacker to watch everything you do and to also install software onto your laptop without you knowing. And packet sniffing techniques can be combined with devices that read data right off a wire to rebuild network traffic and capture data on the fly.

7: Buddying Up – cyber criminals are also making friends online – on MySpace, Facebook and even business-oriented LinkedIn – it is easy to fake an attractive identity and then suck in new online friends and harvest personal information – many social network posters are willing to give up information that reveals enough to aid in identity theft.
Reference 1

8: Insider Trading – organized crime is starting to hire and train employees to get inside target companies and then steal information and access codes. There is also evidence that some hackers are getting sponsored through college courses to improve their knowledge of IT and security systems purely in order to make them more effective at creating and running attacks.
Reference 1

9: Event Piggybacks – whether it is the World Cup, the Superbowl or a hot celebrity scandal, current events are now part of the social engineering attacks used by malicious hackers. An example is online games or downloadable screensavers associated with an event – prior to the 2006 World Cup, German hackers created downloadable screensavers for many of the teams that enticed fans to download them. Along with the screensaver came a pile of trojan malware.
Reference 1

10: Dumpster Diving – not really a scam – just taking advantage of people disposing of (or losing) storage devices without taking security precautions. Take your pick of the scare stories – either the US military USB drive with highly confidential data that was for sale at an Afghani bazaar or the German police computer hard drive that was full of criminal data that was sold on eBay.
Reference 1 , Reference 2

11: Invisible Links – the latest trick – borrowing techniques from the latest web practices – is to run a piece of javascript code when the user simply hovers over a link – that code looks for holes in browser security and downloads a trojan like a keylogger to your PC – all without you even knowing. Plus lots of other Ajax and javascript nastiness is possible.
Reference 1

12: Feed spam – Feed spam is basically a way of feeding real sites that use aggregated RSS feeds with bogus information and malware links.
Reference 1

13: Up And Coming – video and multimedia trojans – the next big target is going to be online media – streaming audio, streaming video, flash movies, animations and games and more. It is quite feasible that someone will find a way to have a YouTube link trigger a method of loading malware onto your computer. How well do you really know that person sending you the latest awesome online video?