I was quoted last month in an article at PC Retail (http://www.pcr-online.biz/features/305/The-truth-about-cyber-crime), which is nice. However, I just came across the notes I made at the time of the original enquiry/interview, most of which wasn’t used, so here are my full responses to the questions Andrew Wooden asked, in case they’re of interest. (Actually, they’re slightly expanded and I’ve made a few corrections: I sent my original responses by Blackberry, as I was on vacation at the time, and there were some minor typos.)
1. Where are the majority of threats coming from, geographically?
Location is often hard to determine. Brazil and eastern Europe seem to be particularly associated with ID theft and phishing (and mule recruitment for moneylaundering). The Far East too, but China also seems to be cited as a hotbed of industrial and military espionage, though the amount of military involvement is moot. West Africa remains well-represented on advance fee fraud (419s, certain kinds of job scams, lottery scams). Stock fraud and some forms of spam are commonly perceived as originating in the US. But any state with reasonable connectivity can originate or relay threats. A lot of the actual code seems to comes out of S. Asia.
2. Is it becoming more organised?
Cybercrime is already very organized on business models analogous to legit models. There are still amateurs and lone operators but they’re more profit-driven now and often offer freelance services on the same lines as the more "professional" cybercriminals.
3. Many have described an ‘underground economy’ creating the bulk of the malware around the world. Could you describe the tiers of this and how they interact with each other, from programmer, to commissioner, to end benefactor?
There’s a lot of specialization: coders, kit providers, moneylaunderers, botherders, cardfraud specialists. Much of it is negotiation between freelancers but cooperation often mirrors (roughly) free economy models. In general the top tier "service provider" either rents access to a botnet to a "customer" or manages attack services for them in return for fee.
4. The people designing these malicious programs must have an extraordinary amount of technical knowledge. Presumably they have also been educated to a high standard. Why don’t these people end up in legitimate programming careers rather than digital crime? Are the creators getting that much money?
A lot of code is actually workmanlike rather than sophisticated but that’s often enough. Most of the R&D goes on detection evasion. That and the problem of sheer sample glut are enough to keep a gang under the radar much of the time. Some social engineering attacks are creative, but many are actually very stereotypical. Much of the problem is a failure in educating victims, not technical brilliance on the part of criminals.
As for motivation, education hasn’t eradicated sociopathy in Western culture and some other cultures and economies almost enforce what we see as criminal behaviour. On the other hand, even in the West many people find it hard to extrapolate ethical norms to an online context.
Yes, a lot of money is being made, but most people are getting a thin slice of the salami. In many cases they don’t discriminate between ‘good’ and ‘bad’ behaviour even if they realize that participating in click fraud or being a money mule hurts others because they can’t afford to… Sometimes or often there’s an element of duress.
Maybe I should expand on that in-joke about salami: salami-slicing is a name sometimes given to fraudulent activities where tiny sums are misappropriated from many people rather than large sums from a few people (or organizations). The term goes way-back, but the approach is often used by banking Trojans.
5. How much more sinister is malware getting?
Malware is sinister by definition :) but today’s threats tend to do more damage to the victim’s financial and general wellbeing. Older threats usually compromised (or, more rarely damaged) systems rather than people’s offline health and wealth. They probably hurt corporates more dramatically than individuals – not that it isn’t grim to have your hard-disk trashed, but there are collateral forms of damage such as loss of reputation and legal complications that were less likely to affect home users than corporate organizations.
There’s a trend these days to threats that also compromise national security: overstated right now maybe but definitely a trend upwards.
6. Is it being taken more seriously by police organisations? How differently is banking theft considered to a mugging?
Less a matter of perception than resources. Local law-enforcement tends to manage "traditional" crimes better than cyber-crime, and more centralized, specialized units are under-resourced for the size of the problem and concentrate on crimes entailing massive financial damage. Local forces tend to use different performance metrics.
As it happens, resourcing and expertise is an issue that’s been highlighted again this month by the Wall Street Journal: see Randy’s blog here.
7. Do you think more needs to be done by organisations like Interpol?
Law enforcement agencies are limited in resources and expertise, as well as mandate. More attention from LEAs (Law Enforcement Agencies) to one area impacts negatively on others. However, cooperation with other groups (vendors, security services, other researchers) fills some of those gaps.
8. There has been reports of governments coming under attack by malicious software. Is there a growing problem of cyber terrorism?
Many attacks that affect governments aren’t targeted. Spear phishing, where an individual -is- targeted, sometimes originates with the military or espionage services rather than terrorist groups, though sometimes the distinction is fuzzy. I’d say that out-and-out terrorism is more often associated with other kinds of disruptive attacks such as website defacement and denial of service, though any group might try to steal credentials with malware or by social engineering, in order to effect an attack. However, terrorism-related spear phishing and other cyber-attacks are likely to rise rather than diminish.
9. Some have speculated that rather than individuals, states could be at the heart of some malicious attacks recently. Is there any truth in this, and could a type of malicious programmes become part of a military’s arsenal in the future?
The military have been looking at cyberwarfare for many years. It’s not possible to say authoritatively how often it’s been used offensively. For instance, the "Iraqi Printer Virus" of the first Iraqi offensive is usually assumed to be a hoax, but I’ve been told by surprisingly authoritative sources that there is some truth in it. (But not how much!)
Many of the attacks that are ascribed to states attacking other states are certainly actions by individuals or informal groups.
10. The years ago are very different to today. What type of threat can we expect to emerge in the future?
I’d expect more professionalization with regard to quasi-terrorism. More cybercriminals will masquerade as legit businesses, as happens now with fake security software. Attack technology tends to be somewhat cyclic, so we tend to see new twists on old scams. The most effective threat is still social engineering, and I don’t see that changing. Major shifts in the threatscape like the diminishing proportion of worms and viruses occur quite slowly, and old techniques are often revived.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET