Cybercrime Hype Alert

It seems to be the season for cybercrime hype. First, we have this article from CNN, which seems to have no actual news:

Computer hackers will open a new front in the multi-billion pound "cyberwar" in 2007, targeting mobile phones, instant messaging and community Web sites such as MySpace, security experts predict.

As people grow wise to email scams, criminal gangs will find new ways to commit online fraud, sell fake goods or steal corporate secrets.

And next, this article, which claims that criminal organizations are paying student members to get IT degrees:

The most successful cyber crime gangs were based on partnerships between those with the criminals skills and contacts and those with the technical ability, said Mr Day.

"Traditional criminals have the ability to move funds and use all of the background they have," he said, "but they don't have the technical expertise."

As the number of criminal gangs looking to move into cyber crime expanded, it got harder to recruit skilled hackers, said Mr Day. This has led criminals to target university students all around the world.

"Some students are being sponsored through their IT degree," said Mr Day. Once qualified, the graduates go to work for the criminal gangs.

[...]

The aura of rebellion the name conjured up helped criminals ensnare children as young as 14, suggested the study.

By trawling websites, bulletin boards and chat rooms that offer hacking tools, cracks or passwords for pirated software, criminal recruiters gather information about potential targets.

Once identified, young hackers are drawn in by being rewarded for carrying out low-level tasks such as using a network of hijacked home computers, a botnet, to send out spam.

The low risk of being caught and the relatively high-rewards on offer helped the criminal gangs to paint an attractive picture of a cyber criminal's life, said Mr Day.

As youngsters are drawn in the stakes are raised and they are told to undertake increasingly risky jobs.

Criminals targeting children -- that's sure to peg anyone's hype-meter.

To be sure, I don't want to minimize the threat of cybercrime. Nor do I want to minimize the threat of organized cybercrime. There are more and more criminals prowling the net, and more and more cybercrime has gone up the food chain -- to large organized crime syndicates. Cybercrime is big business, and it's getting bigger.

But I'm not sure if stories like these help or hurt.

Posted on December 14, 2006 at 2:36 PM • 25 Comments

Comments

Mark J.December 14, 2006 2:58 PM

Sure, scoff at these stories all you want. You'll be singing a different tune when a big piece of sky bonks you on the head.

a_lexDecember 14, 2006 3:19 PM

@Mark
Ahem, can you please explress how do such articles help to aleviate the situation?

They arouse hysteria, pretty much, yes... Does mass hysteria help improve security?

Anonymous CS StudentDecember 14, 2006 3:35 PM

Maybe it's a good thing they're recruiting IT students. Their devious schemes will be late and over budget every time. This might very well be the downfall of organized crime.

/me ducks for cover somewhere IT students don't go...the UNIX lab

J.D. AbolinsDecember 14, 2006 3:44 PM

I agree with Bruce. I am not sure myself if the stories help or hurt.

The BBC story was somewhat useful for me as a little piece of info, especially who's claiming what, among many others I get about security matters.

But for many readers of the cybercrime stories can be alarming because of the tone and lack of a bigger context for the reported trend.

For example, organised crime/gangs/terrorists/whatever looking for insiders and to-be insiders is nothing new. The hype is the high tech involved.

For example, talking about gangs getting a comp-sci student to be a mole in a company can get more attention than if the mole was an accountant, a mailroom worker, or a janitor.

Related to the reporting helping or hurting, I've been seeing a number of stories about one problem or another that present a supposed problem without giving ample info for the reader to determine if it is really a big problem. Also, very little, if anything, is mentioned about efforts or steps to remedy the problem, making it seem like a looming inevitable disaster.

Maybe it is not one story or another in particular but the number of stores that together that can encourage fear, irrationality, etc.

But what's the old saying about news business? "If it bleeds, it leads."

georgeDecember 14, 2006 4:33 PM

Yes, this is how I got my start. Lured by the evil Internet. Started on the soft stuff and graduated to the hard stuff. Please save me.

bobDecember 14, 2006 4:40 PM

That was a helluva spin in that story.

I hope the next such story will be about the scores, nay, hundreds, thousands, of housewives, students, etc. who sign up to receive packages for "foreign clients" and then forward such packages to a foreign location. Yes, this scam has been around for a long time. Yes, people still get sucked into it. Yes, it's almost always well organized by the thieves, who would easily fit the definition of "organized crime". Will we ever see a story about it? I fear not.

I think the cybercrime connection was hyped in order to sell the story. What I wonder is how they found out that IT students were being funded by crime syndicates. That's not something your average student would admit to, assuming they even knew. So I call "BOGUS" on that part of the story until someone shows me proof, and not just some shady character's assertion of it.

JohnDecember 14, 2006 5:13 PM

Computer crime hype has been going on for a long time. There were a couple of articles in Computer/Law Journal years ago, (about 1980) on hype. The hype led to very bad laws at state and federal levels that vaguely defined "crimes" that required no real "act", more a state of being; and no real harm. "Approaching a computer without authorization" for example was a criminal offense in many versions of the same law. And "computer" was so carelessly defined that a pocket calculator, or the telephone system, was a computer.

I complained at the time, and was told by some prosecutors that I should trust their discretion.

I don't know if Computer/Law Journal is still around, but it might be worth looking up those early articles.

NamelessDecember 14, 2006 6:13 PM

Bruce,

Yes, the real value of these stories is open to question - especially from *YOUR* perspective.

The problem is that your knowledge of contemporary IT security issues is so far avbove the average, you can easily lose site of the layman's view. If this sounds like sarcasm or sycophancy then sorry; that is not my intention.

Virtually all readers of this blog will have some sort of interest in IT security and may evaluate media stories about IT security scares rather differently from the layman. I also suggest that the portrayal of IT 'hackers' in films and books doesn't really help much either.

It seems to me that it is not going to be easy to get a realistic way of explaining contemporary IT security through mass media using formal papers, discussions and presentations. Perhaps there is an opportunity for a TV show that covers this stuff properly but in an entertaining format?

Clive RobinsonDecember 14, 2006 6:27 PM

The stories conclusions may be sensationalist an possibly untrue but there is more than a grain of truth in some of the things they say.

First off for the past 18 months or so there has been a noticable trend towards what appears to be "guns for hire" in the cracker community.

This is due in part to the increase of zero-day attacks being used for "stealth targeted attacks" as oposed to "public defacment attacks". This has been thought by some to indicate skilled hackers have swapped "feeding their ego" for "feeding their pocket". Which to me suggests "comming of age" and the "realities of life" that hits in your mid twenties to thirties when you cut lose from the nest.

This appeared to be supported by the number of "malware" attacks being aimed at "direct criminal" activities as oposed to indirect or unsociable attacks such as spam bots etc. However if you think back to "rouge dialers" and the associated "premium rate number" scams this has been going on for quite a few years.

The quote Bruce pulled from the CNN report in of it's self is not particularly fanciful, and I suspect that many "security experts" (pundits?) would regard it as being a not unresonable projection of current trends.

With regards to the BBC and ,

"Traditional criminals have the ability to move funds and use all of the background they have," he said, "but they don't have the technical expertise."

This is well known from card skiming gangs and their hardware, so why is so shocking with regards to software?

As regards,

"As the number of criminal gangs looking to move into cyber crime expanded, it got harder to recruit skilled hackers, said Mr Day. This has led criminals to target university students all around the world."

Yup I suspect that is very true as well, it is a natural consiquence of card skimming and related attackes.

I suspect that the "criminals" concerend doing the recruiting might well be the same "technical experts" from card skiming gangs. After all they have quite an affinity with students as they where/are probably students themselves. They could quite easily spot the type of student they are looking for as they tend to stand out like a sore thumb due to their technical curiosity etc. Due to this they would be very very easily led into the more risky areas of activity, especially if their ego is stroked in the right way. Think recruiter playing "CEO of small security start up".

In a very few cases it might well be a "meeting of minds" and a "technology swap" where an experianced cracker trades cracking techniques for "money laundering" techniques (however I doubt they have the "smarts" to avoid getting the bad end of the deal).

Which brings me on to,

"Some students are being sponsored through their IT degree,"

Depends on what you mean by sponsored, most student I know are almost perpetuly hard up in the UK. Any money they can earn is going to be gratfully recieved by most of them, usually with few questions asked if either it is not suspicious or if put over in the right way (like "my partner is cheating on me can you help me get into their computer to get the dirt on them").

Alternativly simply look on it not as money but "drugs" and not as students but "potential addicts". Then think of all the techniques "pushers" use to get people of that age hooked on drugs. I am fairly certain that more than the odd one or two would get roped in by this sort of activity.

So are they being "sponsored" or are they being "hooked". I guess it's a matter of your outlook and the semantics you wish to use based on the same partial view of the facts.

As for,

"The aura of rebellion the name conjured up helped criminals ensnare children as young as 14, suggested the study."

"Oh Please..." This has been true for centuries, with magic, making fireworks/explosions, lock picking, safe cracking, codes, building crystal and valve radio sets and other "rabbit out of the hat" stuff. David Khan had a section in his book *The Code Breakers" about this which was published over 40 years ago.

About 30 years ago it was electronics and building your own computer from TTL chips (74181 if you could afford it) and using such things as mechanical "telephone dials" to generate pulses to program shift registers to get data into parellel form.

I know I got into this at school partly from a Physics master who got fed up with having to talk to me about my bad habit of swaping locks from bike to bike for fun at lunch time. And partly from pure curiosity on my part. Imagine an old KSR teletype and 300 baud achostic coupler modem "it talked to you in a secret language". You typed up your programs onto punched tape, and if you where lucky they loaded and magicaly produced answers. You could only do this at lunch time which kept me out of trouble ;)

Then the introduction to electronics I was almost instantly hooked, can you imagine my pure joy when the "serial CPU" I had designed and built from D types Nand and Exor gates worked, and added up two sixteen bit numbers (yup 8 bit had been done in the SCMP processor ;). Even the head master looked impressed on parents day (ego food, it was a feast ;)

Software is todays "Magic" of the kind Arther C Clark spoke of.

Put simply all boys of a curios and inquisitive nature are going to be drawn to this like a moth to a flame or a bear to honey. Amoungst other things it gives the less physicaly developed ones a degree of security against the knuckle heads in their school and area they live.

As for,

"By trawling websites, bulletin boards and chat rooms that offer hacking tools, cracks or passwords for pirated software, criminal recruiters gather information about potential targets."

Many very unplesant people are known to do this to children both girls and boys for their own "unplesant needs" and there are countless initiatives to catch them. So why (in a journos mind) would it be that unexpected for a "for money" criminal to use the same technique?

Personaly I have my doubts on this one, I suspect the "for money" criminals know the risks and are actually not using this kind of "recruiting techique". Possibly it is some of the "unplesant need" criminals using the story line as "new bait on the hook" or only somebodies speculative (/sensationalist) thought... I would need to see some real significant data on this one to be anything other than doubtfull.

As for,

"Once identified, young hackers are drawn in by being rewarded for carrying out low-level tasks such as using a network of hijacked home computers, a botnet, to send out spam."

This is a script kiddie lure that has been seen for some time and is almost as old as Cracking, Where do people think "L33t" talk comes from, it is indicative of adolescents and their need to "big it up" infront of their peers to establish status and gain inclusion into what in their eyes is an "elite group". With it's "secret communications", "coded talk", "forbiden knowledge" and "brownie points" to be gained and swapped, pluss joy of joys the ability to "look down on" and "rubbish" others, it's an almost iresistable lure.

Now the interesting one,

"The low risk of being caught and the relatively high-rewards on offer helped the criminal gangs to paint an attractive picture of a cyber criminal's life"

Now that one does not ring true with adolescents of the type that might be usefull to criminals.

I suspect that they don't use "a cyber criminal's life" as an example it would be "nah-kred" (or "uncool" if you are over twenty ;) to most adolescents. No they would be more interested in basic "ego stroking" and inclusion into what they see as an "elite group" and more importantly the mistique of a secret society and it's". As most parents know untill they become "older teens" they have no real understanding of money. If I was going to hook a young teen I would use "ego objects" such as games stations and computer hardware, either "on loan" or by "hey I have found this real great deal on ebay" and when showing it to them if their eyes light up say "hey you helped me out the other day here have it as a thank you".

So do I agree with Bruce and his,

"But I'm not sure if stories like these help or hurt"

Both it depends again on your perspective, "sensationalisum" help journos/hacks get stories by their jaded editors. Likewise it also gets people to read about technology (whilst unfortunatly thinking other thoughts) so that partly covers the "help" aspect.

However the one thing we do know about "joe public" he has the attention span of a gold fish when things go right and carps like crazy when they don't. Joe also has a tendency when floundering to blaim that that he does not understand as it is easier (and oh do some computer support people encorage this kind of ignorance). The end result Joe like any other fish out of water does not get to see the real world. And in all likley hood will develop a very distorted and short sighted view of what technology can do.

So poor old joe will not be helped at all just titilated and confused (I guess that covers the hinder part).

IainwDecember 15, 2006 2:50 AM

This is all about perspective. I would be surprised if anyone reading this blog was shocked that organized criminals use the internet for theft and fraud, as well a market place and money laundering tool.

What is important is to see this for what it is, a natural extension of their existing activities rather than some great new revolution.

There is however a benefit from articles such as these. They provide a wider knowledge that things like IM and Web 2.0 can be used to target users systems, not just e-mail and if this means those users will be more skeptical and cautious online then this is a good outcome. It can and should be done in a much calmer way and not attempt to cause hysteria. This is counterproductive in the long run - there are only so many scare stories people will take seriously and I remain to be convinced that IT students are being actively recruited.

Leo K.December 15, 2006 3:49 AM

Help or Hurt? I think these stories might help the public be more aware of what they do on the Internet.The hurt might involve drawing even more criminals to the sweet smell of easy money. After all crime has always paid..just a question as to whether the crooks get caught.

RobinDecember 15, 2006 6:17 AM

I mean that this story can hurt. Many young people can be excited by false dreams about money. They can try it... and become criminals.

C GomezDecember 15, 2006 7:56 AM

Well, the stories aren't news... a big problem with the media today and its idea that you have to have a new headline every 15 minutes. Many news stories aren't news, and this is one of them.

There are zero facts, no investigative reporting, no sources... merely a trumped-up "study".

I don't know if the article helps or hurts. I actually doubt anyone but us read it.

jimmyDecember 15, 2006 10:34 AM

at first I read it as "cybercrime hyper-alert"...no matter what the contents of the story, I would be interested in such a "hyper-alert"...it would signal that the 21st century was finally getting started!

Davi OttenheimerDecember 15, 2006 12:56 PM

"I agree with Bruce. I am not sure myself if the stories help or hurt."

Why not both?

Anyway, I like the fact that the story draws attention to the economics of the system. You have to factor in the threats when you assess risk (as in risk = assets * vulns * threats) so it makes sense to keep a tab on the level of expertise/experience and resources of people joining the workforce. Seems as real to me as any company monitoring the interest of people in/around their industry to help factor risks.

J.D. AbolinsDecember 15, 2006 1:11 PM

@Davi Ottenheimer re: "Why not both?"

Excellent point! They are not intrinsically exclusive.

One of the things I find useful in the news reports, even if some go towards hype, are clues to primary sources for information. The news articles are not the end but a pointer to other information.

AnonymousDecember 15, 2006 1:33 PM

I keep picturing the scene from The Untouchables, where they stop Capone's accountant in the train station from fleeing to Miami.

"There: The fat nerd with the coke bottle glasses who's slowed down by three laptops! Don't let him get on that plane!"

J.D. AbolinsDecember 15, 2006 1:39 PM

Re: "Online banking fraud 'up 8,000%'"

The BBC carried such a report at http://news.bbc.co.uk/1/hi/uk_politics/...

It was useful for me, mainly as a pointer to the Financial Services Authority (FSA) statement on phishing and as an exercise in digging for details. By the way, the FSA Web site is at http://www.fsa.gov.uk/ and their "Fighting Financial Crime" info & newsletters under http://www.fsa.gov.uk/Pages/About/What/...
may be interest to some of this blog's readers.

The 8000% figure seemed like a possible choice of percentage for the sake of an attention getting number rather than saying "by eighty times last year's figure".

It was interesting reading the details in the story that showed the real level of crime was not as clear cut as it first seems. It quoted Rob Gruppetta, of the FSA's financial crime team, saying, "We are very concerned about the rate of increase. It has gone up by 8,000% in the past two years."

OK, that gives different picture of the headline which may give an impression of one year's change. The next quote from Mr. Gruppetta gives a much better perspective one the "8,000%" phishing increase in the context of UK financial crime, "But in the grand scheme of total fraud it is still quite small."

The BBC article closed with Philip Robinson, the FSA's head of financial crime, talking about banks' apparent lack of transparency when it came to internet fraud. He believes it is because many affected banks are worried about misrepresentation of the crimes and reputational impact. Also, he claims there's a perception the "the likelihood of fraud being investigated is very low indeed". An economic factor of sorts; why report if the risks seem higher than the benefits.

MegsterMarch 6, 2007 7:19 PM

Wow, I am pretty surprized by the whole thing. It is pretty amazing what these people are willing to pay in order to have their own hackers. I wonder if it is really that profitable in the long run. I wish they would have mentioned how much the hackers are actually getting paid, compaired to their new boss. Because of this new chain in command that is developing, maybe it will be like a drug bust, where you just have to work up from the bottom to find the person you are really looking for.

ShaunNovember 28, 2007 12:55 PM

It seems to me that every here has missed the point... The idea of the initial CNN news article is not merely to present news, but rather to elevate into public view, the seriousness of cyber-crime. Its not just about 'joe public', it IS about the various proponents cybercrime to start working together as a cohesive unit, and making cybercrime a mainstream crime. Until it is a mainstream crime, it will not be dealt with in the way murder, or theft is. Further, there is so much cybercrime being reported, that the Met police are unable to handle it.

More needs to be done, and the only way to do it is to have people like CNN broadcasting it. So in effect, yes, the articles help.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..