In 2012 we will see more high-profile arrests of cyber criminals and more botnet takedowns, but that’s just my opinion, and only one of many predictions being aired as 2011 winds down and the world looks forward to 2012. When you spend most of your time researching various aspects of data security, like malware and cyber crimes, you quickly learn that predictions can come back to bite you, hence the reluctant prognostications of my colleague David Harley, which sometimes veer toward the tongue-in-cheek. However, unless your personal or professional circumstances are such that you can afford to eschew any kind of planning for the future, you need to make at least a few “best-guess” assumptions about what lies ahead.
Although I do think that the coming year will bring more law enforcement efforts to fruition, as a wide range of agencies continue to work together to take down cyber crime operations, I’m sad to say that I see no immediate shortage of criminals willing to take a chance on cyber crime. After all, those chances still look pretty good. The risk of serving time for cyber crime, or getting injured during the execution thereof, is still incredibly low compared to more conventional crimes like walking into a bank and demanding money at gun point. And the rewards are very enticing.
Consider the crime ring busted in 2011 by Operation Ghost Click. According to the FBI, infected computers were used to generate “at least $14 million in fraudulent advertising fees” over a period of four years. Seven people were indicted, but even if the scam involved twice that number, the loot works out at $1 million per person, with almost zero risk of being shot while committing the crime. Compare that with the risky business of robbing a bank. I looked at the FBI’s Bank Crime Statistics going back to 2003, and did not see a single year or calendar quarter in which the average take from a physical bank robbery in the United States exceeded $10,000. In some quarters, the average value of stolen bank loot – the FBI actually uses the term “loot” – was below $8,000.
Remember the “scareware” bust earlier this year when the FBI and law enforcement from at least 10 countries worked together to expose a scam that infected 960,000 computers with fake anti-virus software? That cyber crime project cheated consumers out of more than $72 million over three years. If 24 people were involved, that’s $1 million per person per year. The smart money is clearly on cyber crime, particularly since you don’t need to be smart to commit such crimes.
Consider SpyEye, this year’s break-out product in the “easy-to-use botnet builder” category, complete with plug-and-play bank account hacking modules. A big clue to the target demographic for this product, apart from the slick app-style interface, is the feature that cleans up after that most embarrassing of newbie cyber crime gaffs, infecting your own machine with the malware you’re trying to distribute.
Perhaps, as programs like SpyEye continue to lower the barrier to entry for aspiring cyber criminals, it is time to rephrase the legendary question asked of Willie Sutton, one of the most notorious bank robbers of the 2oth century: Why do you rob banks? To which Mr. Sutton is reported to have answered: Because that’s where the money is. The 21st century version, or Sutton 2.0, might be to ask: Why do you seek unauthorized access to networks and digital devices? Because that’s where the data is, and data is the new currency. Even your basic street criminal knows this.
The chances that a random mugging victim will be carrying a lot of cash are slim. There’s a much better chance they will have a wallet or purse full of data-bearing plastic cards that can be easily converted into whatever the criminal wants, be it illegal drugs, anonymous gift cards, or actual money. The means to convert large amounts of data into wealth are now widely available. For example, the black market in credit card data is thriving, global and accessible from anywhere, as is the market in compromised data access points. Data pertaining to a real person can be used to fake their identity, open bogus accounts in their name, compromise or drain existing accounts, and generate credit cards used to buy gift cards used to buy high-end merchandise that can be traded for cash, or enjoyed in the comfort of your luxury apartment rented in someone else’s name.
In 2012 the struggle to shut down this type of crime will continue, but there will be other forms of cyber crime to contend with as well. According to his autobiography, Where the Money Was: The Memoirs of a Bank Robber, Willie Sutton never gave that famous “where the money is” reason for robbing banks. Here’s what he really thought: “Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life.” Substitute “network” for “bank,” and you pretty much have the definition of a career criminal hacker.