For FBI agents tasked with fighting cybercrime, working with other law enforcement agencies across the globe is as common as talking around the water cooler.
Fighting cybercrime is unlike fighting traditional crime because it has no geographic borders. Law enforcement bodies around the world employ varying laws, languages and investigation techniques. Even with these logistical challenges, the FBI and other global law enforcement bodies have had numerous successes recently, including the takedown of a major cybercriminal forum called "Dark Market." But, the majority of cybercriminals still go unpunished, experts say.
"Almost every cybercrime case has an international component," says Shawn Henry (left), assistant director of the FBI's cybercrime division. That's because organized cybercriminal groups will often come together virtually via the internet. These entities are made up of members from many countries, each with a specific expertise, Henry says. One person writes spam emails, another has a botnet (a network of compromised computers used to launch attacks or send spam), someone else operates a server where victims' names, Social Security and credit card numbers are harvested, and another person turns the information into cash and funnels it back to the other members of the group. Even attacks launched from the United States against another group or individual within the country might include communications that are transmitted from overseas, Henry says.
"The international aspect of these cases might include half a dozen law enforcement agencies from half a dozen countries," Henry says.
And while the majority of this activity is being carried out in the invisible realm of cyberspace, the threats these law enforcement agencies are fighting is all too real. For many corporations, cybercrimes often harvest sensitive business and customer data, which can result in hundreds of millions of dollars in losses, Henry says. Cyberthreats also pose a danger to national security and put our critical infrastructure at risk, he adds, since government networks house sensitive policy, strategy and weapons systems information — all of which is at risk of getting into the hands of adversaries.
"We are looking at a threat from foreign governments, from transnational organized crime groups and terrorist agencies," Henry says.
Since many cybercrime cases either start or end overseas, the FBI relies on what it dubs legal attachés. The bureau has agents deployed in legal attaché offices (also known as legats) in 75 countries. For example, the FBI deployed a full-time cybercrime agent in Romania in 2008. Because of this agent, working directly with local law enforcement, 100 cybercriminal arrests have been made in the past year, Henry says.
The FBI has used its success in Romania as a model for fighting cybercrime. Earlier this year, it deployed an additional agent in Estonia. Henry says that by mid-September, the bureau will deploy two additional agents in two more countries working nothing but cybercrime cases.
In another example of successful international collaboration in fighting cybercrime, what could have been a scene out of Miami Vice was prevented, says Roel Schouwenberg (John Willems, director of the Minnesota DPS's alcohol and gambling enforcement division), senior anti-virus researcher at security vendor Kaspersky Lab. Last year, FBI investigators caught wind of the Shadow botnet, believed to have been maintained by an individual in the Netherlands. The FBI contacted the Dutch High Tech Crime Unit, after which the unit's officers caught and arrested a 19-year-old Dutch man in the act of selling the botnet to a Brazilian man. The two alleged cybercriminals were said to be in the middle of their transaction at a restaurant when police swept in and made the arrest.
"The FBI working with Dutch police is good collaboration," Schouwenberg says. Kaspersky was later contacted by Dutch police to help analyze and remove the malware used to build the botnet.
While the U.S. government has had success in fighting international cybercrime, state law enforcement agencies just don't have the resources to do so, says Pamela Warren (right), cybercrime strategist at McAfee. But efforts are underway at one state agency to ensure public safety.
Over the years, numerous Minnesota residents came forward to the state's Department of Public Safety (DPS) reporting that their bank accounts were drained in elaborate scams that started with an email, says John Willems (left), director of the Minnesota DPS's alcohol and gambling enforcement division. Victims reported receiving emails, which appeared to be sent from legitimate banks and state lotteries, saying they won huge amounts of money. Once an individual responded, con artists persuaded victims to wire money as a shipping and handling fee to retrieve their prize. Criminals then threatened individuals with death, arson and rape to send more money. Victims reported losing anywhere from $250,000 to $1.5 million to these crimes and begged for justice. Initially, state officials thought there was nothing they could do because the crimes were committed by people outside of the U.S., Willems says.
However, with Minnesota residents having been defrauded of approximately $30 million by these crimes, the department was convinced it had to do something. In March 2007, the department began an effort to bring the fraudsters to justice, says Willems.
It discovered that the thread of many of these crimes could be traced back to Jamaica, although Jamaican authorities had no complaints about them. Willems says that working with the FBI's legal attaché in Jamaica, the department gradually built relationships with Jamaican law enforcement to work hand-in-hand to fight the fraudsters.
"Our purpose is to give information about the crimes, such as documentation records and witness interviews, to Jamaican authorities so that they can build a case and have the evidence they need for successful prosecutions," Willems says.
Getting the information to Jamaican authorities has been a key element to success, he adds. Recently, nine Jamaicans were arrested for these crimes, and that's just the beginning. Now, the department is developing relationships with law enforcement agencies in Canada, Spain and the U.K. to fight cybercriminals.
Vast majority goes unpunished
Even with the successes that have been made in fighting cybercrime recently, the "vast majority" of cybercriminals still go unpunished, says Sean Brady, senior product marketing manager for RSA's identity access and assurance group.
Jim Butterworth (left), director of cybersecurity at Guidance Software, a company that provides computer forensics solutions, agrees. He says the amount of cybercrime today far exceeds the international authoritative bodies' ability to keep up with it.
Because of this workload, adds McAfee's Warren, law enforcement bodies only go after the cases they think will have the most success.
Kevin Hyland, detective inspector, Scotland Yard, echoes this, explaining that international cybercrime cases often involve costly travel expenses, which prompt enforcement bodies to consider the cost of their activities. In some cases, the severity of the cybercrime justifies the cost, he adds. Other times it does not.
One of the biggest anti-cybercrime success stories to date was the takedown of Dark Market, a forum that was used as a “super mart of the underground,” says Keith Mularski, senior cybercrime agent at the FBI.
For two years, Mularski (left) played the role of a spammer with the handle Master Splyntr, infiltrating the Dark Market in a sting operation. He says the forum had strict entry policies. In order to get in, two other members generally had to test the newcomer's “product,” which might be credit card numbers, counterfeit identification cards, botnets or exploits, and write a review for the other members.
In the beginning, Mularski built up his credibility by doing the opposite of what a cop would do: He didn't ask questions. He got to know members, making small talk about sports, and slowly gained their trust. Then, when a battle with another criminal group threatened to close down the site, Mularski approached site administrators with an offer to take over and host the site. And they accepted.
Mularski says that he saw criminals with different specialties from various countries band together on jobs. Little by little, working odd hours in the middle of the night and while on vacation, he got bits of information about the criminals, such as a name or hometown, which he was able to pass along to foreign law enforcement agencies. The operation resulted in 60 arrests worldwide and the dismantling of the Dark Market carding site, Mularski says.