You switch on your
computer, as normal, but instead of the familiar welcome screen, desktop icons,
file folders and web browser, a warning flashes before your eyes. It is from the
National Fraud Intelligence Bureau, which says it has discovered child
pornography, zoophilia and other illegal materials on your hard drive, and has
locked you out of your computer until you pay a fine through the provided link.
Unsure why this horrible mistake has occurred, you panic. You don’t know what to
do. Your computer has essential files you need for work, not to mention your
music, your photos, your memories. So you pay the “fine” and the screen goes
away.
You have been hacked. But by whom? The world of online fraudsters
has grown at alarming rates, according to RSA, an online security company whose
Anti- Fraud Command Center is based in Herzliya Pituah. While cyber warfare
attacks like Stuxnet and Flame (which targeted Iran’s nuclear program) fill the
headlines, a digital criminal underground remains largely hidden. Not only are
there more “bad guys” out there trying to defraud you, steal your financial
information, or get into your financial institution, but they are doing so with
new levels of sophistication. A digital black marketplace in which hackers buy
and sell different kinds of malware designed to infect computers, spy on their
users and, ultimately, access their cash involves huge sums of money each
year.
“In regular markets, you have vendors yelling ‘Watermelons!
Watermelons!’ Here they are selling scripts,” says Idan Aharoni, RSA’s head of
cyber intelligence.
Creating a sophisticated cyberattack is no easy task;
a phishing scheme could involve, for example, writing the malware program,
creating an official-looking email, obtaining huge numbers of addresses to spam,
building a hidden server and crafting a strategy on what to do with the stolen
data. Like in the real economy, online fraudsters have begun to specialize, each
learning, crafting and selling their particular wares in the underground online
marketplace.
But how much impact does this have on real people, on real
businesses or the real economy? “Right now there simply are no reliable figures
about the true impact of cybercrime out there; they are all guesstimates at
best,” says John Lyons, chief executive of the International Cyber Security
Protection Alliance. “What we do know is that cybercrime is getting more
industrialized, more professional, and that it’s growing.”
To paraphrase
Stalin, when one person is hacked it is a tragedy, when a million are, it’s a
statistic.
Interpol estimates that in 2007 and 2008 the cost of
cybercrime worldwide was about $8 billion, while corporate cyber espionage stole
up to $1 trillion worth of intellectual property. The 2012 edition of the Norton
Cybercrime Report calculated the direct costs of global consumer cybercrime at
$110b. The indirect costs they calculated for the previous year (including lost
time and effort) added up to $274 billion.
Neil Robinson, a research
leader at RAND Europe, notes that the disparity in estimates comes from the fact
that there is little agreement on how to define and measure what constitutes
cybercrime. Financial institutions prefer to mask losses, while companies
selling security have a incentive to inflate figures, to highlight both the
magnitude of the danger and the effectiveness of their services. A flat-screen
television hanging in the entrance to RSA’s Herzliya Pituah office displays a
fast-rising clock of losses prevented since January 2012, which in late January
this year had reached $3.37b.
RSA’S OFFICE building feels like a
futuristic luxury prison. Automated glass gates block access to the spare,
button-free elevators, which are pre-programmed to reach certain floors using
security keys and a number pad outside their doors. Even the coffee machine is
hi-tech, automatically grinding and delivering espresso to waiting employees at
the push of a button.
“Ever since ‘the breach’ we’ve hardened the
infrastructure,” says Daniel Cohen, the head of Business Development and
Knowledge Delivery for RSA’s managed threat services group. In 2011, a
sophisticated phishing attack using a ‘Poison Ivy Trojan’ bug hit the company,
making off with sensitive passwords and information.
“It’s not a good
thing when a security company gets breached,” he remarks.
The facility
houses the RSA’s Anti-Fraud Command Center, which processes and takes down
phishing attacks 24/7 for some of the world’s biggest banks, financial
institutions and corporations. The division features original Israeli
technology, pioneered by a company called Cyota, of which new MK and head of
Bayit Yehudi Naftali Bennett was founder and chief executive, and which RSA
acquired before it was snapped up by Fortune 500 giant EMC.
Cyota found a
way of automating its security services for anti-fraud, anti-phishing,
anti-Trojan and other types of inter-connected tools, says Orna Berry, corporate vice president and general manager
for the Israel Center of Excellence, which oversees RSA here.
“Israel is
the base for this type of technology, and the services that automates them,” she
says. Companies can take advantage of the security without having to install,
manage and update software on their own systems, making it much easier for them,
and much cheaper for RSA. “From Cyota, the automated concept has been scaled up
20-fold in terms of sales, but only 4-fold in terms of people.”
Down the
hall from the anti-phishing war room, a devoted group of digital do-gooders
descend into the depths of the fraudster underworld, monitoring the marketplace
of hawking hackers.
The price of “Zeus,” malware that can record your
computer’s every move down to your mouse clicks and keyboard strokes, commanded
$3,000 in 2007.
Today, it is so readily available that the going rate has
plummeted to $15. For $700, a hacker can buy access to a network of
already-infected computers. Financial spies easily trade data storage space,
virtual networks to execute their attacks, installation programs to run their
malicious software and control infected machines, and for an extra $100,
workarounds for Google’s “ultra-secure” Chrome browser.
“That’s how easy
it is to become a Trojan operator,” says Cohen.
The fraudsters have their
own code of honor to help them stay clear of law-enforcement agents, creating
special invitation-only forums where they can buy and sell lists of stolen
credit card numbers, which include precise details about their owners to help
hackers mask suspicious online purchases.
IF THE existence of secret
criminal backrooms off in the computing cloud weren’t unsettling enough, a new
trend is letting fraudsters penetrate people’s wallets right through their
pockets.
Since the introduction of the iPhone in 2007, smartphones
(cellular phones utilizing mobile operating systems) have exploded (717 million
smartphones shipped last year alone), creating a huge market opportunity for
mobile malware. Not only do people access e-mail and the Web from their phones,
they download billions of applications, or “apps,” from online stores, including
banking and other financial software. Android-based phones represent about 70%
of the smartphone market, and last year alone they uncovered 25,000 samples of
malware.
Of those, about half are “premium service abusers,” which make
quick phone calls or send text messages to premium pay services that extract
cash right through phone bills. About a fifth of the malicious software installs
advertising on the phone, while another fifth steals data. The remainder
download additional software, give hackers access to control the device remotely
and spy on the users.
To keep criminals out of their data, RCA recommends
using two-step authentication processes for accessing e-mail and other accounts.
Google, for example, will send you a text message with a code each time you try
to log in, meaning anyone without access to your phone can’t access your e-mail.
But more than individuals, it is businesses that must worry about safeguarding
the financial information they collect from customers.
Though phishing
and Trojan attackers don’t typically target “mom and pop” shops specifically
(one might say they have bigger “phish” to fry), they would not reject any that
got caught in their nets.
“Get protection on day zero,” RSA’s Aharoni
urges.
“The day you have information that someone would find interesting
is the day you need protection.”
It is preferable, he says, to get an RSA
notification that there are hackers at your gates than to discover they’ve
already made off with the goods before disappearing into the binary matrix.
|