WANTED: A new breed of superhero

How much is an identity worth? If you know the right people, ten minutes and ten bucks. If you don't know the right people, it's half and hour, access to Google and ten bucks.

The truth is that today more personal data than ever before is held by banks, retailers and credit brokers on computer systems.

Unfortunately for those whose job it is to protect those systems, there's a new breed of net-savvy criminals who not only know the right people, but make money mining and trading identities through elaborate, expanding online networks. This criminal sniffs around vulnerable systems looking for details about the common man, sends emails with links to finely detailed fake websites, and sells people's identities by the thousand. This new breed of online law-breaker needs a new breed of security guru to fight back.

In 2004, a group of North Florida students (the section of society traditionally the preserve of 'harmless geek') wormed their way around a library computer until they found their way onto the county system. After some rustling around the poorly protected HR records of the local sheriff's office, they had enough information to set up credit card accounts using staff names. The teens were caught, spending money on the new cards. But the problem remains – there is an awful lot of personal information out there, and a lot of people who want it.

Often, users are quite happy to give their personal information away, a potential disaster highlighted by the relative success of phishing emails. The latest stats from the Anti-Phishing Working Group (AWPG) show email fraud and phishing attacks have risen by over 4,000 percent this year. In September 2004, says deputy assistant director of the FBI Steven Martinez, ten million U.S. citizens had been victimized by identity theft, leading to losses of an estimated $50 billion.

"There has been a significant change in the type of hacking we're seeing now," says Phillip Hallam-Baker, principal scientist at certificate authority Verisign and an expert in phishing fraud. "It's no longer script kiddies – there's a high level of sophistication."

On the phishing side, the sophistication has moved on from early attempts, poorly spoofed websites easily recognizable as fake, to expertly crafted sites that even experienced security professionals find hard to distinguish from the real thing.

"Because users are becoming more wary of phishing scams, they've had to improve their methods," says Dmitri Alperovitch, a research engineer at email security company Ciphertrust. "Crime always tends to go for the lowest-hanging fruit. Roughly 20 people still fall for each phishing attack."

Most phishing sites are only up for at most three days, requiring coordination with spammed emails linking to them. Such complicated attacks can only occur when organized crime is involved.

"It is very organized. There are online job centers looking for people who can help create botnets, send out spam and create the phishing websites," says Alperovitch. "In a five-day week, one group can expect to make $50,000. And the language they use is very similar to organized crime, with 'bosses' and 'soldiers.' They're [copying] the Mafia."

Alperovitch tracks groups that send out phishing emails. He says most of them come from eastern Europe. Rather than organized crime, he believes the groups are formed by the net-savvy who have created networks of contacts in an effort to make money.

Hallam-Baker goes further, suggesting that although this might be true of the great majority of phishers, traditional organized crime groups are involved.

"Of those who actually make any money, it's half recognizable organized crime and half who have made money solely through the net," he says. "These top guys make a lot of money, but avoid the risks associated with it by getting mules to do their dirty work."

'Mules' are the phishers who actually send out spam emails, create the botnets and launder the money made. Despite the dangerous nature of their work, they often earn less than minimum wage.

"Crime often works like this. It's not necessarily the easiest or most profitable lifestyle, but it can be very convenient in poorer countries," says Hallam-Baker.

According to Mark Murtagh, technical director of web filtering company Websense, not just anyone can become involved in phishing and ID theft. Even criminals have to work their way through a trust system.

"Initially, you might be asked to do a couple of small jobs and build up a reputation, much like on eBay," he says. "Once you are trusted, your reputation score goes up and you get asked to perform more profitable tasks."

Perhaps the most notorious of online criminal groups was the Shadowcrew. Involved in phishing, defacement and writing viruses, the online posse of nearly 5,000 members actively traded in botnets, advice and malware until the FBI shut the Shadowcrew down last year. The most commonly traded commodity was 'dumps' of credit card data. If there was information associated with the accounts (social security numbers, addresses, and so on), the dumps would sell for more.

After it had taken control of the group's homepage, the FBI posted a notice on it saying, boldly: "You Are No Longer Anonymous!!" But the sheer volume of data traded by the Shadowcrew highlights the success of phishing and ID theft. Moreover, phishing emails have risen since its downfall and, according to Hallam-Baker, four or five large groups are still operating. Other experts agree.

"Several people have declared they're moving away as a result of the increased police presence, but many have just moved underground," says Alperovitch.

"They've definitely gone elsewhere," says Murtagh. "Internet Relay Chat is one safer home to the phishing business. Bots and malcode are still being traded. They are now so sophisticated you can actually track the progress of your botnet."

Perhaps the best indication of how organized ID theft has become is that a phisher can track the success and spread of any malware or emails using programs traded in the criminal fraternity.

Naturally, as with any business, phishers are out to maximize their profits. James Kay, CTO at email filtering company BlackSpider, has noticed a trend towards combining phishing emails and the malware that creates botnets.

"The attacks are slower and more organized, with no attempt to get any publicity," he says. "Behavioral changes, such as [phishers now] including malware, can help increase the productivity of any single phishing attack."

Phishing and other, more obvious forms of identity theft have reached a new level of maturity. For the criminally minded, there are now many ways to steal someone's personal data.

Those wanting to steal account details from a personal computer can purchase an extraordinary range of keylogging devices. One such device can be affixed to the keyboard connection and then melted to it, making it seem as if it's part of the system. Others can be made to order, perfectly matching the target unit.

There's a host of spyware keyloggers, pieces of software that can be inserted through email attachments, from removable storage devices or even by clicking on the wrong website.

With such devices readily available (a simple Google search for 'keylogger' reveals thousands of hits), defending an organization against ID theft can be difficult. Rumors persist that the recent $423 million attempted cyber-heist at Sumitomo Mitsui bank was caused by cleaners inserting keylogging devices, highlighting how relatively simple it is to steal large amounts of money.

Companies can vet all incoming staff, but how can they ever really be sure that the person they are hiring is trustworthy?

"Security is difficult, and there's no one solution," says Nick Coleman, head of security services at IBM. "There are three basic areas to cover – people, process and technology – but users will always make mistakes."

As well as untrustworthy staff is the problem of those who are simply being too friendly.

"Staff, such as call center agents, are trained to be helpful," says Jim Gardner, director of corporate marketing for security company Intervoice. "The Kevin Mitnicks of the world can get a lot of information with very little effort."

Even the most educated user will slip up, and few users of a corporate network come close to falling into that category.

"A lot is being done, and users are becoming more aware of dangers because of media coverage and education," says Piers Wilson, head of technical risk assurance at Insight Consulting, Siemens' security division. "But to prevent bigger losses, a huge cultural change is required, and that will take a while."

Privacy lobbyists at the Electronic Privacy Information Center assert that ever more personal data is being stored electronically. And despite recent scares, online banking is still on the rise. Recent surveys say ever more staff are making online purchases using work computers.

But with the criminal fraternity now gearing increasingly towards stealing personal data, it seems all anyone can do is cross their fingers and hope it isn't theirs that gets stolen. After Sumitomo Mitsui almost lost half a billion dollars, operating in one of the most heavily regulated and closely watched industries, it seems obvious that, for all the advantages the internet has brought, user identity has rarely been less safe than it is now.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.