Incident Response, Network Security, TDR, Vulnerability Management

Freezing assets and turning up the heat

Some perpetrators of cybercrime do get caught. This is important to bear in mind if you spend much time dealing with malware and cybercrime. Unfortunately, a lot of the good news in the fight against cybercrime tends to get buried, sometimes by bad news about the latest headline-grabbing security breach. So here are some positive cybercrime items from the past few months that you might have missed, starting with the freezing of $14.8 million in ill-gotten assets by the authorities pursuing Bjorn Sundin and Shaileshkumar Jain, two guys who ripped off millions of consumers and businesses by selling them fake anti-virus software.

I will get back to Jain and Sundin in a moment. First I'd like to share a story from Seattle that you might not have noticed. The September 21 headline simply said: "Three Seattle men charged in hacking spree," but that understates the full story. When you read the announcement from the U.S. Attorney's office for the Western District of Washington, you find these three guys are accused not only of hacking the networks of more than a dozen companies, but also of physically breaking into more than 40 businesses to steal equipment and information, both personal and business, which was then used for fraud. For example, they used stolen credit card numbers "to purchase tens of thousands of dollars of high tech equipment and luxury goods that they used or sold." Beyond that, they hijacked payroll information "so that payroll funds would be distributed to accounts under their control." They also sent company funds "to reloadable debit cards, allowing them to rapidly cash out the company accounts."

What is notable about this case, according to U.S. Attorney Jenny A. Durkan, who chairs the Justice Department's Cybercrime and Intellectual Property Enforcement working group, is that the thieves mixed old school with high tech. For example, they would break into a company to get computer equipment, which they then used to hack into the company's network. They outfitted at least one vehicle for war driving so they could hack into wireless networks, from which they would then steal information with which to commit fraud, or they might use the network to hack other targets without being traced.

However, prompt reporting of irregularities by business owners meant they were identified and indicted. Putting this 10-count indictment together clearly took a lot of work and the attorneys involved deserve a round of applause for their efforts. If convicted, the defendants face up to 15 years in prison and a $250,000 fine. Hopefully, the authorities will get speedy convictions and then impose heavy sentences to discourage other lowlifes from trying their hand at this troubling mix of computer abuse and old-fashioned thievery. In the meantime, small- and medium-size businesses need to be aware that it's not just big companies that are targeted by cybercriminals. If you're a small business owner, I encourage you to read the above-mentioned announcement of this indictment, which includes tips to keep your businesses from being a victim of cyber lowlifes.

Speaking of lowlifes, Jain and Sundin, the two guys I mentioned earlier, serve as a vivid reminder of the kind of scammers that are lurking out there, ready and willing to try anything to separate you from your money. The twisted tale of their company, Innovative Marketing Ukraine, was recounted in a recent issue of WIRED magazine and it makes for sobering reading.

Currently these two are wanted men, on the run from a $100 million indictment (you can see their mug shots here). So, although the freezing of a Swiss bank account in which they had stashed $14.8 million in ill-gotten gains is good news, it is short of a full recovery. Hopefully, they soon will be brought to justice and serve serious time. After all, the actions of these two frauds, and the legions of scam artists just like them, not only hurt the pocketbooks of millions of consumers, but they also undermine the economic potential of the cyber economy.

To end on a high note, of sorts, I would include one more recent law enforcement success, the arrest of the Florida man who breached the email accounts of dozens of celebrities, notably Scarlett Johansson and Christine Aguilera. The good news in this case, apart from the fact that the F.B.I. was able to catch the guy, is that he was acting alone. The lesson from the case, even for those of us who are not celebrities, is that the email accounts were “hacked” by guessing the passwords, apparently aided by personal data revealed on social networks. The feds get cybercrime-fighting bonus points for using this arrest to increase public awareness of the need to use passwords that are harder to guess.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.