» Scams, spam, spies and me
From the Cork suburb of Bishopstown, online security specialist Robert McArdle works with an international team to combat new developments in cyber crime
THE LEAFY Cork suburb of Bishopstown, a mix of established estates and newer student complexes, is not where you expect to find an online security unit liaising with the FBI to tackle some of the world’s most serious cyber criminals.
Yet, here in the offices of Trend Micro, 28-year-old Robert McArdle, manager of “advanced threat research”, is leading a team of 18 employees, based around the world, who are attempting to thwart online criminals.
His work involves assuming different aliases and posing on forums where sensitive data, such as credit card details or PayPal accounts, are traded by criminals. For a company like Trend Micro, McArdle and his team are the eyes and ears of the operation, building awareness of new online threats and trying to keep pace with sophisticated criminals.
It’s a constant battle. “Criminals have the advantage of using multiple jurisdictions,” says McArdle. “We don’t even have coherent European-wide laws on cyber crime. It’s a cat and mouse game really. We come up with a defence for these crimes, that defence holds in place and then they find a way around it and off we go again. It’s a classic arms race. One guy invents a tank, then the other side invents a bazooka to blow it up and on it goes.”
So what is the expert team trying to combat and how safe are we online? McArdle says there are essentially two types of online criminal: “You have your highly skilled classical hacker type and then you have someone with zero skills who buys the information from someone else. So if you want to access the detail on say 10,000 machines, you can buy that for €1,000. Anybody can do that, once you find the right forum.”
The cyber security unit is less concerned with those “zero skills” people as they can’t cover their tracks.
“The major cyber criminal gangs are trickier and many are technically skilled,” says McArdle. “It is said that the only difference between a security researcher and a cyber criminal is ethics. Our skill sets are very similar. The difference is though if I find a hole in a server, I’ll call the company and let them know. If a cyber criminal finds a hole, their response is: how can I make money out of this?”
McArdle shows me forums he is tracking. Most are in Russian and have been translated into English by eastern European colleagues. A menu pops up offering everything from individual credit card numbers to e-mail spams. One hacker is offering bundles of European credit cards for $10 (€7) or US equivalents for just $2 (€1.40). These credit card numbers are then used to shop online, generally for large items such as TVs or computer equipment.
Also advertised on the forums are “denial of service attacks”. These enable a person to pay a hacker to attack a competitor for a week and cripple their server or take down their website. The prices range from $50 (€34.60) for a day to $1,200 (€830) for a sustained attacked over a month.
You can buy spam accounts, fake e-mail addresses, login passwords, fake anti-virus programmes and programmes which install expensive dial-up connections to home computers. It’s a cyber criminal’s paradise.
“We track a lot of details about bad guys or cyber criminals and put these on an internal system where we build up our database,” says McArdle. “We track forums all over the world and work with several law enforcement agencies. It involves trying to get access across all sorts of jurisdictions. One criminal recently had a server in the US. We followed the trail and it went from there to Iran, then Pakistan, India and ultimately China. So you get a sense of how difficult they are to track.”
Another anti-virus scam the team has been tracking threw up a bonus when the unit was able to see how many visitors the scam attracted per month. It highlighted the potential revenue available to criminals and why online crime can be so lucrative.
“We found the ultimate landing page on these guys’ servers and it was left unsecured, so we could see their own statistics,” McArdle says. “It was a fake anti-virus page that looks very authentic. It had 116 million unique visitors in one month. You get directed to a website and are asked to install a programme. To fully install it, you must pay a $50 contribution. If just 1 per cent of those people who did this paid, that brings in $50 million revenue, for just one month’s work.”
The day after we speak, McArdle is flying to Taiwan to meet the rest of his team for one of their regular conferences. As they are all based in different parts of the globe for strategic reasons, they meet several times a year for updates on cyber threats and anti-virus developments.
“It’s good to grab a few beers and talk about the bad guys,” he says.
Cyber crime: the changing ground rules
2011 has seen attackers move back to the traditional targeted attacks of the past, with highly public breaches such as those on Sony and Epsilon.
At the same time the less targeted banking trojans and botnets continue to be a major problem.
THE RISING THREATS
Location aware attacks: Mobile devices know where you are all the time. Even with GPS, they can work out position based on cell towers, nearby Wi-Fi networks, etc. Attackers will look to exploit this knowledge.
More and more data losses: The desktop PC is all but dead, and most of our data is now stored in the cloud, or on an expensive (and easily losable) electronic gadget in your pocket. Even pickpockets will soon begin to realise that the contents of that stolen phone far outvalue the device itself.
Targeted attacks will rise: These attacks will not only be carried out for the criminals’ financial gain, but also at the behest of rival companies (espionage). How valuable is it to company X if their competitor’s site is inaccessible for a week? Or if their brand is damaged by a massive compromise?
WHY IT’S SO BIG
Difficult to prosecute: Every cyber crime will normally involve at least three jurisdictions, if not more. It is easy for attackers to set up an infection chain that crosses international boundaries (normally of countries with poor diplomatic relations).
Ease of entry and communication: Most cyber criminals have never coded a piece of malware, and would not know how. For as little as a few hundred dollars anyone can purchase a DIY toolkit that allows theft of financial data, such as Spyeye or ZeuS. Cyber criminals also communicate very well, with competitors regularly swapping tips on public forums.
Lack of awareness: The largest flaw in any computer system is still, to quote one expert, “securing the nut between the keyboard and the screen”. A large amount of malware, especially fake anti-virus, is installed accidentally by humans. Cyber crime needs the same level of public awareness that drink driving and anti-drugs campaigns generate.
IS THE BATTLE BEING WON?
The law is catching up: Laws, such as the European convention on cyber crime, are very important so that we can face this threat with common international laws.
Communication is improving: Law enforcement agencies are working more closely together than ever. There is some top-notch talent in the world’s cyber investigation units.
We are becoming more wary: Generation Y rushed to put its entire personal life online. Now people are becoming more concerned about their privacy.